diff options
Diffstat (limited to 'controller-api')
4 files changed, 12 insertions, 12 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index f7876f9cddd..5d8fae5cf0a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -20,7 +20,7 @@ public interface AccessControlService { boolean decideSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials, boolean approve); boolean requestSshAccess(TenantName tenantName); AthenzRoleInformation getAccessRoleInformation(TenantName tenantName); - void setPreapprovedAccess(TenantName tenantName, boolean preapproved); - boolean getPreapprovedAccess(TenantName tenantName); + void setManagedAccess(TenantName tenantName, boolean managedAccess); + boolean getManagedAccess(TenantName tenantName); Collection<AthenzUser> listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 2e4f3f16218..f761734aa13 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -116,27 +116,27 @@ public class AthenzAccessControlService implements AccessControlService { ).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance")); } - public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) { + public void setManagedAccess(TenantName tenantName, boolean managedAccess) { vespaZmsClient.ifPresentOrElse( zms -> { var role = sshRole(tenantName); var assertion = getApprovalAssertion(role); - if (preapprovedAccess) { - zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); - } else { + if (managedAccess) { zms.deletePolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); + } else { + zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); } },() -> { throw new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"); }); } - public boolean getPreapprovedAccess(TenantName tenantName) { + public boolean getManagedAccess(TenantName tenantName) { return vespaZmsClient.map( zms -> { var role = sshRole(tenantName); var approvalAssertion = getApprovalAssertion(role); return zms.getPolicy(role.domain(), ACCESS_APPROVAL_POLICY) - .map(policy -> policy.assertions().stream().anyMatch(assertion -> assertion.satisfies(approvalAssertion))) - .orElse(false); + .map(policy -> policy.assertions().stream().noneMatch(assertion -> assertion.satisfies(approvalAssertion))) + .orElse(true); }).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance") ); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index 95ebe3380d4..c0e0f0baa5d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -50,12 +50,12 @@ public class MockAccessControlService implements AccessControlService { } @Override - public void setPreapprovedAccess(TenantName tenantName, boolean preapproved) { + public void setManagedAccess(TenantName tenantName, boolean managedAccess) { } @Override - public boolean getPreapprovedAccess(TenantName tenant) { + public boolean getManagedAccess(TenantName tenant) { return false; } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index aca8425328d..30a086a59a0 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -242,7 +242,7 @@ enum PathGroup { /** Paths used to approve requests to access tenant resources */ accessRequestApproval(Matcher.tenant, "/application/v4/tenant/{tenant}/access/approve/{*}", - "/application/v4/tenant/{tenant}/access/preapprove/{*}"); + "/application/v4/tenant/{tenant}/access/managed/{*}"); final List<String> pathSpecs; final List<Matcher> matchers; |