diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-14 18:48:56 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-14 18:48:56 +0100 |
commit | c7d690960c534e8ccc634263440d4256e1f9c92e (patch) | |
tree | 7e721b9ff6ee0c3a914142313418be7b8821c7e9 /controller-server | |
parent | 46c602ba9037bc094b1365fec5ee3caa0918074d (diff) |
Allow tenant operators to access tenant pipeline operations
Diffstat (limited to 'controller-server')
2 files changed, 7 insertions, 1 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java index 283d700c2bd..2deef474f7c 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationInstanceAuthorizer.java @@ -5,6 +5,7 @@ import com.yahoo.config.application.api.DeploymentSpec; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.Environment; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.hosted.controller.api.Tenant; import com.yahoo.vespa.hosted.controller.api.application.v4.model.TenantType; @@ -45,6 +46,7 @@ public class ApplicationInstanceAuthorizer { Tenant tenant, ApplicationName application) { AthenzDomain principalDomain = principal.getDomain(); + if (isHostedOperator(principal.getIdentity())) return; if (!principalDomain.equals(SCREWDRIVER_DOMAIN)) { throw loggedForbiddenException( @@ -112,6 +114,11 @@ public class ApplicationInstanceAuthorizer { return new NotAuthorizedException(formattedMessage); } + private boolean isHostedOperator(AthenzIdentity identity) { + return athenzClientFactory.createZmsClientWithServicePrincipal() + .hasHostedOperatorAccess(identity); + } + private boolean hasDeployAccessToAthenzApplication(AthenzPrincipal principal, AthenzDomain domain, ApplicationName application) { try { return athenzClientFactory.createZmsClientWithServicePrincipal() diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java index 69bf8dcfa69..8a62732ee31 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java @@ -154,7 +154,6 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter { private void verifyIsTenantPipelineOperator(AthenzPrincipal principal, TenantId tenantId, ApplicationName applicationName) { - if (isHostedOperator(principal.getIdentity())) return; controller.tenants().tenant(tenantId) .ifPresent(tenant -> applicationInstanceAuthorizer.throwIfUnauthorized(principal, tenant, applicationName)); } |