aboutsummaryrefslogtreecommitdiffstats
path: root/controller-api/src/main/java/com/yahoo/vespa/hosted
diff options
context:
space:
mode:
Diffstat (limited to 'controller-api/src/main/java/com/yahoo/vespa/hosted')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java4
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java14
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java4
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java2
4 files changed, 12 insertions, 12 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
index f7876f9cddd..5d8fae5cf0a 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java
@@ -20,7 +20,7 @@ public interface AccessControlService {
boolean decideSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials, boolean approve);
boolean requestSshAccess(TenantName tenantName);
AthenzRoleInformation getAccessRoleInformation(TenantName tenantName);
- void setPreapprovedAccess(TenantName tenantName, boolean preapproved);
- boolean getPreapprovedAccess(TenantName tenantName);
+ void setManagedAccess(TenantName tenantName, boolean managedAccess);
+ boolean getManagedAccess(TenantName tenantName);
Collection<AthenzUser> listMembers();
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 2e4f3f16218..f761734aa13 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -116,27 +116,27 @@ public class AthenzAccessControlService implements AccessControlService {
).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"));
}
- public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) {
+ public void setManagedAccess(TenantName tenantName, boolean managedAccess) {
vespaZmsClient.ifPresentOrElse(
zms -> {
var role = sshRole(tenantName);
var assertion = getApprovalAssertion(role);
- if (preapprovedAccess) {
- zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
- } else {
+ if (managedAccess) {
zms.deletePolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
+ } else {
+ zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role());
}
},() -> { throw new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"); });
}
- public boolean getPreapprovedAccess(TenantName tenantName) {
+ public boolean getManagedAccess(TenantName tenantName) {
return vespaZmsClient.map(
zms -> {
var role = sshRole(tenantName);
var approvalAssertion = getApprovalAssertion(role);
return zms.getPolicy(role.domain(), ACCESS_APPROVAL_POLICY)
- .map(policy -> policy.assertions().stream().anyMatch(assertion -> assertion.satisfies(approvalAssertion)))
- .orElse(false);
+ .map(policy -> policy.assertions().stream().noneMatch(assertion -> assertion.satisfies(approvalAssertion)))
+ .orElse(true);
}).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance") );
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
index 95ebe3380d4..c0e0f0baa5d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java
@@ -50,12 +50,12 @@ public class MockAccessControlService implements AccessControlService {
}
@Override
- public void setPreapprovedAccess(TenantName tenantName, boolean preapproved) {
+ public void setManagedAccess(TenantName tenantName, boolean managedAccess) {
}
@Override
- public boolean getPreapprovedAccess(TenantName tenant) {
+ public boolean getManagedAccess(TenantName tenant) {
return false;
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index aca8425328d..30a086a59a0 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -242,7 +242,7 @@ enum PathGroup {
/** Paths used to approve requests to access tenant resources */
accessRequestApproval(Matcher.tenant, "/application/v4/tenant/{tenant}/access/approve/{*}",
- "/application/v4/tenant/{tenant}/access/preapprove/{*}");
+ "/application/v4/tenant/{tenant}/access/managed/{*}");
final List<String> pathSpecs;
final List<Matcher> matchers;