diff options
5 files changed, 16 insertions, 5 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java index 578f516f01e..a0c73fa7ff8 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java @@ -36,6 +36,7 @@ public class Roles { String[] parts = value.split("\\."); if (parts.length == 1 && parts[0].equals("hostedOperator")) return Role.hostedOperator(); if (parts.length == 1 && parts[0].equals("hostedSupporter")) return Role.hostedSupporter(); + if (parts.length == 1 && parts[0].equals("hostedAccountant")) return Role.hostedAccountant(); if (parts.length == 2) return toRole(TenantName.from(parts[0]), parts[1]); if (parts.length == 3) return toRole(TenantName.from(parts[0]), ApplicationName.from(parts[1]), parts[2]); throw new IllegalArgumentException("Malformed or illegal role value '" + value + "'."); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 0316803558b..baa5a093eed 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -219,8 +219,8 @@ enum PathGroup { /** Paths used for receiving payment callbacks */ paymentProcessor(PathPrefix.none, "/payment/notification"), - /** Invoice management */ - invoiceManagement(PathPrefix.none, "/billing/v1/invoice/{*}"); + /** Paths used for invoice management */ + hostedAccountant(PathPrefix.api, "/billing/v1/invoice/{*}"); final List<String> pathSpecs; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 0afa0668a00..bc61ec6d97d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -22,12 +22,12 @@ enum Policy { /** Full access to everything. */ operator(Privilege.grant(Action.all()) - .on(PathGroup.all()) + .on(PathGroup.allExcept(PathGroup.hostedAccountant)) .in(SystemName.all())), /** Full access to everything. */ supporter(Privilege.grant(Action.read) - .on(PathGroup.all()) + .on(PathGroup.allExcept(PathGroup.hostedAccountant)) .in(SystemName.all())), /** Full access to user management for a tenant in select systems. */ @@ -167,6 +167,11 @@ enum Policy { /** Read the generated bills */ billingInformationRead(Privilege.grant(Action.read) .on(PathGroup.billingList) + .in(SystemName.PublicCd)), + + /** Invoice management */ + hostedAccountant(Privilege.grant(Action.all()) + .on(PathGroup.hostedAccountant) .in(SystemName.PublicCd)); private final Set<Privilege> privileges; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java index d3c5e412215..90350de5dbd 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java @@ -76,6 +76,9 @@ public abstract class Role { /** Returns the role of the payment processor */ public static UnboundRole paymentProcessor() { return new UnboundRole(RoleDefinition.paymentProcessor); } + /** Returns the role of the invoice manager */ + public static UnboundRole hostedAccountant() { return new UnboundRole(RoleDefinition.hostedAccountant); } + /** Returns the role definition of this bound role. */ public RoleDefinition definition() { return roleDefinition; } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 438e79bcc4f..6467050d3f3 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -89,7 +89,9 @@ public enum RoleDefinition { systemFlagsDryrunner(Policy.systemFlagsDryrun), - paymentProcessor(Policy.paymentProcessor); + paymentProcessor(Policy.paymentProcessor), + + hostedAccountant(Policy.hostedAccountant); private final Set<RoleDefinition> parents; private final Set<Policy> policies; |