Merge pull request #11257 from vespa-engine/bjorncs/system-flags-access-control-dryrun

Define access control '/system-flags/v1' dry-run
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-11-14 12:38:24 +0100
committer: GitHub <noreply@github.com> 2019-11-14 12:38:24 +0100
commit: e2c0bfab328851a177c1ea4042a7fc9d79714979 (patch)
tree: 9d27513c5f5c61ccf81990679a4b28979ad4ee68 /controller-server
parent: bf057fb22f9c917d616031a0cd32597b315bb803 (diff)
parent: 0d0e4c109ab23e9db7185ffe690dcab325ac072a (diff)
2 files changed, 7 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 8f84845a94b..bb6777b9e27 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -208,8 +208,8 @@ public class AthenzFacade implements AccessControl {
         return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal);
     }
 
-    public boolean hasSystemFlagsDeployAccess(AthenzIdentity identity) {
-        return hasAccess("deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
+    public boolean hasSystemFlagsAccess(AthenzIdentity identity, boolean dryRun) {
+        return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
     }
 
     /**
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 2a75c7953ca..56b2de33478 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -101,10 +101,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
             && instance.get().value().equals(principal.getIdentity().getName()))
             roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get()));
 
-        if (athenz.hasSystemFlagsDeployAccess(identity)) {
+        if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) {
             roleMemberships.add(Role.systemFlagsDeployer());
         }
 
+        if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true)) {
+            roleMemberships.add(Role.systemFlagsDryrunner());
+        }
+
         return roleMemberships.isEmpty()
                 ? Set.of(Role.everyone())
                 : Set.copyOf(roleMemberships);
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-11-14 12:38:24 +0100
committer	GitHub <noreply@github.com>	2019-11-14 12:38:24 +0100
commit	e2c0bfab328851a177c1ea4042a7fc9d79714979 (patch)
tree	9d27513c5f5c61ccf81990679a4b28979ad4ee68 /controller-server
parent	bf057fb22f9c917d616031a0cd32597b315bb803 (diff)
parent	0d0e4c109ab23e9db7185ffe690dcab325ac072a (diff)