summaryrefslogtreecommitdiffstats
path: root/controller-server
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2019-11-08 14:22:13 +0100
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2019-11-08 14:22:13 +0100
commit0d0e4c109ab23e9db7185ffe690dcab325ac072a (patch)
treebeb83743ea810f4d9eab72ea0be4f13f35e0ecea /controller-server
parent1e44092efcff240afc7c57948dd1d4bad28a2a04 (diff)
Define access control '/system-flags/v1' dry-run
Diffstat (limited to 'controller-server')
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java4
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java6
2 files changed, 7 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 8f84845a94b..bb6777b9e27 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -208,8 +208,8 @@ public class AthenzFacade implements AccessControl {
return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal);
}
- public boolean hasSystemFlagsDeployAccess(AthenzIdentity identity) {
- return hasAccess("deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
+ public boolean hasSystemFlagsAccess(AthenzIdentity identity, boolean dryRun) {
+ return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
}
/**
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 2a75c7953ca..56b2de33478 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -101,10 +101,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
&& instance.get().value().equals(principal.getIdentity().getName()))
roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get()));
- if (athenz.hasSystemFlagsDeployAccess(identity)) {
+ if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) {
roleMemberships.add(Role.systemFlagsDeployer());
}
+ if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true)) {
+ roleMemberships.add(Role.systemFlagsDryrunner());
+ }
+
return roleMemberships.isEmpty()
? Set.of(Role.everyone())
: Set.copyOf(roleMemberships);