Add supporter role

author: toby <smorgrav@yahoo-inc.com> 2020-02-12 11:14:15 +0100
committer: toby <smorgrav@yahoo-inc.com> 2020-02-12 11:14:15 +0100
commit: d5bb58ac36d629e208b5234c56053f970bdcc384 (patch)
tree: 5ef3a4d99a4cb9b037808d06f6913214f81aa26b /controller-server
parent: bd386dd1642ffe2ef4cdb108f9f7c1a2c27b7ff9 (diff)
4 files changed, 20 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 7ace62ab44d..628d7f48c85 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -215,6 +215,10 @@ public class AthenzFacade implements AccessControl {
         return hasAccess("modify", service.getDomain().getName() + ":hosted-vespa", identity);
     }
 
+    public boolean hasHostedSupporterAccess(AthenzIdentity identity) {
+        return hasAccess("read", service.getDomain().getName() + ":hosted-vespa", identity);
+    }
+
     public boolean canLaunch(AthenzIdentity principal, AthenzService service) {
         return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal);
     }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 1aaecb58a8d..ba974521278 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -87,6 +87,9 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
         if (athenz.hasHostedOperatorAccess(identity))
             roleMemberships.add(Role.hostedOperator());
 
+        if (athenz.hasHostedSupporterAccess(identity))
+            roleMemberships.add(Role.hostedSupporter());
+
         // Add all tenants that are accessible for this request
         athenz.accessibleTenants(tenants.asList(), new Credentials(principal))
                 .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name())));
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
index 82b97a5b144..bef27f7a2f5 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
@@ -73,13 +73,13 @@ public class AthenzRoleFilterTest {
     public void testTranslations() {
 
         // Hosted operators are always members of the hostedOperator role.
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, NO_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, TENANT_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, APPLICATION_CONTEXT_PATH));
 
         // Tenant admins are members of the athenzTenantAdmin role within their tenant subtree.
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java
index a5520b42459..c95691fc120 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java
@@ -43,6 +43,16 @@ public class ControllerAuthorizationFilterTest {
     }
 
     @Test
+    public void supporter() {
+        ControllerTester tester = new ControllerTester();
+        SecurityContext securityContext = new SecurityContext(() -> "operator", Set.of(Role.hostedSupporter()));
+        ControllerAuthorizationFilter filter = createFilter(tester);
+
+        assertIsForbidden(invokeFilter(filter, createRequest(Method.POST, "/zone/v2/path", securityContext)));
+        assertIsAllowed(invokeFilter(filter, createRequest(Method.GET, "/zone/v1/path", securityContext)));
+    }
+
+    @Test
     public void unprivileged() {
         ControllerTester tester = new ControllerTester();
         SecurityContext securityContext = new SecurityContext(() -> "user", Set.of(Role.everyone()));
author	toby <smorgrav@yahoo-inc.com>	2020-02-12 11:14:15 +0100
committer	toby <smorgrav@yahoo-inc.com>	2020-02-12 11:14:15 +0100
commit	d5bb58ac36d629e208b5234c56053f970bdcc384 (patch)
tree	5ef3a4d99a4cb9b037808d06f6913214f81aa26b /controller-server
parent	bd386dd1642ffe2ef4cdb108f9f7c1a2c27b7ff9 (diff)