diff options
Diffstat (limited to 'controller-api')
6 files changed, 61 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java index 5ebea6c8d87..03eda33233d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java @@ -43,7 +43,7 @@ public class MockUserManagement implements UserManagement { @Override public void removeUsers(Role role, Collection<UserId> users) { - memberships.get(role).removeAll(users); + memberships.get(role).removeIf(user -> users.contains(new UserId(user.email()))); } @Override diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 08702027264..958ded06c78 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -46,6 +46,15 @@ enum PathGroup { Optional.of("/api"), "/application/v4/tenant/{tenant}/application/"), + tenantKeys(Matcher.tenant, + Optional.of("/api"), + "/application/v4/tenant/{tenant}/key/"), + + applicationKeys(Matcher.tenant, + Matcher.application, + Optional.of("/api"), + "/application/v4/tenant/{tenant}/application/{application}/key/"), + /** Path for the base application resource. */ application(Matcher.tenant, Matcher.application, diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 290382c6e6c..db7dd5909b3 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -83,6 +83,11 @@ enum Policy { .on(PathGroup.applicationInfo, PathGroup.productionRestart) .in(SystemName.all())), + /** Access to create and delete developer and deploy keys under a tenant. */ + keyManagement(Privilege.grant(Action.write()) + .on(PathGroup.tenantKeys, PathGroup.applicationKeys) + .in(SystemName.all())), + /** Full access to application development deployments. */ developmentDeployment(Privilege.grant(Action.all()) .on(PathGroup.developmentDeployment, PathGroup.developmentRestart) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 980b8bd316f..7bbd89404c7 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -56,7 +56,8 @@ public enum RoleDefinition { /** Tenant operator with access to create application under a tenant, and to read the tenant's and public data. */ tenantOperator(everyone, Policy.tenantRead, - Policy.applicationCreate), + Policy.applicationCreate, + Policy.keyManagement), /** Tenant admin with full access to all tenant resources, except deleting the tenant. */ tenantAdmin(tenantOperator, @@ -84,6 +85,7 @@ public enum RoleDefinition { Policy.applicationUpdate, Policy.applicationDelete, Policy.applicationOperations, + Policy.keyManagement, Policy.developmentDeployment); private final Set<RoleDefinition> parents; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java index 3378f9e0061..92f902dc0f7 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java @@ -49,4 +49,5 @@ public class SecurityContext { ", roles=" + roles + '}'; } + } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SimplePrincipal.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SimplePrincipal.java new file mode 100644 index 00000000000..11e4552fcb5 --- /dev/null +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SimplePrincipal.java @@ -0,0 +1,42 @@ +package com.yahoo.vespa.hosted.controller.api.role; + +import java.security.Principal; + +/** + * A principal wrapper of a single String entry. + * + * @author jonmv + */ +public class SimplePrincipal implements Principal { + + private final String name; + + public SimplePrincipal(String name) { + if (name.isBlank()) + throw new IllegalArgumentException("Name cannot be blank"); + this.name = name; + } + + @Override + public String getName() { + return name; + } + + @Override + public String toString() { + return name; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + return name.equals(((SimplePrincipal) o).name); + } + + @Override + public int hashCode() { + return name.hashCode(); + } + +} |