diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2019-11-07 11:04:02 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-11-07 11:04:02 +0100 |
commit | 69a07cb8c5fe7bd3a07a7364a52c908f5391541b (patch) | |
tree | 8ffa71653c79cc412c30bee684f22aebb27d92ab /controller-server | |
parent | d84e2e754567a962550656bd6a04b4411aa6ff47 (diff) | |
parent | 7bc93e3cdeb2a04f792acf27c4b2328daf2e49fc (diff) |
Merge pull request #11228 from vespa-engine/jvenstad/require-athenz-user-identity-for-dev-deployments
Only give the instance deployer role to athenz users
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 8ee95675465..ea49e8bc113 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -11,6 +11,7 @@ import com.yahoo.restapi.Path; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.client.zms.ZmsClientException; import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.TenantController; @@ -96,6 +97,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { roleMemberships.add(Role.tenantPipeline(tenant.get().name(), application.get())); if ( tenant.isPresent() && application.isPresent() && instance.isPresent() + && principal.getIdentity() instanceof AthenzUser && instance.get().value().equals(principal.getIdentity().getName())) roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get())); |