Allow tenant operators to access tenant pipeline operations

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-14 18:48:56 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-14 18:48:56 +0100
commit: c7d690960c534e8ccc634263440d4256e1f9c92e (patch)
tree: 7e721b9ff6ee0c3a914142313418be7b8821c7e9 /controller-server
parent: 46c602ba9037bc094b1365fec5ee3caa0918074d (diff)
2 files changed, 7 insertions, 1 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java
index 283d700c2bd..2deef474f7c 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java
@@ -5,6 +5,7 @@ import com.yahoo.config.application.api.DeploymentSpec;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.Environment;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzPrincipal;
 import com.yahoo.vespa.hosted.controller.api.Tenant;
 import com.yahoo.vespa.hosted.controller.api.application.v4.model.TenantType;
@@ -45,6 +46,7 @@ public class ApplicationInstanceAuthorizer {
                                     Tenant tenant,
                                     ApplicationName application) {
         AthenzDomain principalDomain = principal.getDomain();
+        if (isHostedOperator(principal.getIdentity())) return;
 
         if (!principalDomain.equals(SCREWDRIVER_DOMAIN)) {
             throw loggedForbiddenException(
@@ -112,6 +114,11 @@ public class ApplicationInstanceAuthorizer {
         return new NotAuthorizedException(formattedMessage);
     }
 
+    private boolean isHostedOperator(AthenzIdentity identity) {
+        return athenzClientFactory.createZmsClientWithServicePrincipal()
+                .hasHostedOperatorAccess(identity);
+    }
+
     private boolean hasDeployAccessToAthenzApplication(AthenzPrincipal principal, AthenzDomain domain, ApplicationName application) {
         try {
             return athenzClientFactory.createZmsClientWithServicePrincipal()
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
index 69bf8dcfa69..8a62732ee31 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
@@ -154,7 +154,6 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
     private void verifyIsTenantPipelineOperator(AthenzPrincipal principal,
                                                 TenantId tenantId,
                                                 ApplicationName applicationName) {
-        if (isHostedOperator(principal.getIdentity())) return;
         controller.tenants().tenant(tenantId)
                 .ifPresent(tenant -> applicationInstanceAuthorizer.throwIfUnauthorized(principal, tenant, applicationName));
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-14 18:48:56 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-14 18:48:56 +0100
commit	c7d690960c534e8ccc634263440d4256e1f9c92e (patch)
tree	7e721b9ff6ee0c3a914142313418be7b8821c7e9 /controller-server
parent	46c602ba9037bc094b1365fec5ee3caa0918074d (diff)