diff options
2 files changed, 4 insertions, 1 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 3a42c0c6535..317229f9e9a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -165,6 +165,8 @@ public class AthenzAccessControlService implements AccessControlService { private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) { var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver"); - return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members").build(); + return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members") + .effect(AthenzAssertion.Effect.ALLOW) + .build(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java index cf6f40155fc..49cc31fe8c2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java @@ -39,6 +39,7 @@ public class AthenzAssertion { public boolean satisfies(AthenzAssertion other) { return role.equals(other.role()) && action.equals(other.action()) && + effect().equals(other.effect()) && resource.equals(other.resource()); } |