aboutsummaryrefslogtreecommitdiffstats
path: root/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
diff options
context:
space:
mode:
Diffstat (limited to 'controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java14
1 files changed, 7 insertions, 7 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 2e4f3f16218..f761734aa13 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -116,27 +116,27 @@ public class AthenzAccessControlService implements AccessControlService {
).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"));
}
- public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) {
+ public void setManagedAccess(TenantName tenantName, boolean managedAccess) {
vespaZmsClient.ifPresentOrElse(
zms -> {
var role = sshRole(tenantName);
var assertion = getApprovalAssertion(role);
- if (preapprovedAccess) {
- zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
- } else {
+ if (managedAccess) {
zms.deletePolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
+ } else {
+ zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
}
},() -> { throw new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"); });
}
- public boolean getPreapprovedAccess(TenantName tenantName) {
+ public boolean getManagedAccess(TenantName tenantName) {
return vespaZmsClient.map(
zms -> {
var role = sshRole(tenantName);
var approvalAssertion = getApprovalAssertion(role);
return zms.getPolicy(role.domain(), ACCESS_APPROVAL_POLICY)
- .map(policy -> policy.assertions().stream().anyMatch(assertion -> assertion.satisfies(approvalAssertion)))
- .orElse(false);
+ .map(policy -> policy.assertions().stream().noneMatch(assertion -> assertion.satisfies(approvalAssertion)))
+ .orElse(true);
}).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance") );
}