aboutsummaryrefslogtreecommitdiffstats
path: root/controller-api/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'controller-api/src/main')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java6
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java11
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java3
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java4
4 files changed, 19 insertions, 5 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 9db896bbb88..bf89d072b75 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -181,7 +181,11 @@ enum PathGroup {
"/zone/v1/{*}"),
/** Paths used for deploying system-wide feature flags. */
- systemFlags("/system-flags/v1/{*}");
+ systemFlagsDeploy("/system-flags/v1/deploy"),
+
+
+ /** Paths used for "dry-running" system-wide feature flags. */
+ systemFlagsDryrun("/system-flags/v1/dryrun");
final List<String> pathSpecs;
final String prefix;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 51f29626acf..074d3ef7e95 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -123,9 +123,14 @@ enum Policy {
.on(PathGroup.publicInfo)
.in(SystemName.all())),
- /** Access to /system-flags/v1. */
- systemFlagsDeployment(Privilege.grant(Action.all())
- .on(PathGroup.systemFlags)
+ /** Access to /system-flags/v1/deploy. */
+ systemFlagsDeploy(Privilege.grant(Action.update)
+ .on(PathGroup.systemFlagsDeploy)
+ .in(SystemName.all())),
+
+ /** Access to /system-flags/v1/dryrun. */
+ systemFlagsDryrun(Privilege.grant(Action.update)
+ .on(PathGroup.systemFlagsDryrun)
.in(SystemName.all()));
private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index e1497bd686e..b53cf9162e7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -111,6 +111,9 @@ public abstract class Role {
/** Returns the role for system flag deployer */
public static UnboundRole systemFlagsDeployer() { return new UnboundRole(RoleDefinition.systemFlagsDeployer); }
+ /** Returns the role for system flag dryrun */
+ public static UnboundRole systemFlagsDryrunner() { return new UnboundRole(RoleDefinition.systemFlagsDryrunner); }
+
/** Returns the role definition of this bound role. */
public RoleDefinition definition() { return roleDefinition; }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index a261f5c7e8f..67efdc3017d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -115,7 +115,9 @@ public enum RoleDefinition {
Policy.keyManagement,
Policy.developmentDeployment),
- systemFlagsDeployer(hostedOperator, Policy.systemFlagsDeployment);
+ systemFlagsDeployer(Policy.systemFlagsDeploy, Policy.systemFlagsDryrun),
+
+ systemFlagsDryrunner(Policy.systemFlagsDryrun);
private final Set<RoleDefinition> parents;
private final Set<Policy> policies;