diff options
| author | Martin Polden <mpolden@mpolden.no> | 2018-10-29 13:20:02 +0100 |
|---|---|---|
| committer | Martin Polden <mpolden@mpolden.no> | 2018-10-29 13:20:02 +0100 |
| commit | 91cb85833ef8b1f56a316e9897a6541761308dd4 (patch) | |
| tree | b14bc234d5ed98ecdecaa2613cb3b978e6eb8c5d /controller-server | |
| parent | ae1ad405b39b02b7df92d2421ef19f73d651d0f5 (diff) | |
Allow controller host to access orchestrator API
Diffstat (limited to 'controller-server')
2 files changed, 17 insertions, 2 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java index 59847437339..b9f91a35790 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java @@ -123,7 +123,8 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { path.matches("/screwdriver/v1/trigger/tenant/{*}") || path.matches("/os/v1/{*}") || path.matches("/zone/v2/{*}") || - path.matches("/nodes/v2/{*}"); + path.matches("/nodes/v2/{*}") || + path.matches("/orchestrator/v1/{*}"); } private static boolean isTenantAdminOperation(Path path, Method method) { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java index c3b9c11de88..22a527bf3d3 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java @@ -127,6 +127,18 @@ public class ControllerAuthorizationFilterTest { } + @Test + public void operator_can_access_controller_node_management_paths() { + ControllerTester controllerTester = new ControllerTester(); + controllerTester.athenzDb().hostedOperators.add(HOSTED_OPERATOR); // Controller host has same access as operators + ControllerAuthorizationFilter filter = createFilter(controllerTester); + List<AthenzIdentity> allowed = singletonList(HOSTED_OPERATOR); + List<AthenzIdentity> forbidden = singletonList(USER); + + testApiAccess(PUT, "/nodes/v2/state/ready/controller-1", allowed, forbidden, filter); + testApiAccess(DELETE, "/orchestrator/v1/hosts/controller-1/suspended", allowed, forbidden, filter); + } + private static void testApiAccess(Method method, String path, List<? extends AthenzIdentity> allowedIdentities, @@ -139,7 +151,9 @@ public class ControllerAuthorizationFilterTest { } private static void assertIsAllowed(Optional<AuthorizationResponse> response) { - assertFalse("Expected no response from filter", response.isPresent()); + assertFalse("Expected no response from filter, but got \"" + + response.map(r -> r.message + "\" (" + r.statusCode + ")").orElse(""), + response.isPresent()); } private static void assertIsForbidden(Optional<AuthorizationResponse> response) { |