aboutsummaryrefslogtreecommitdiffstats
path: root/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
diff options
context:
space:
mode:
Diffstat (limited to 'controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java')
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java22
1 files changed, 7 insertions, 15 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 56b2de33478..361aad93133 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -15,14 +15,14 @@ import com.yahoo.vespa.athenz.api.AthenzUser;
import com.yahoo.vespa.athenz.client.zms.ZmsClientException;
import com.yahoo.vespa.hosted.controller.Controller;
import com.yahoo.vespa.hosted.controller.TenantController;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
import com.yahoo.vespa.hosted.controller.api.role.Role;
import com.yahoo.vespa.hosted.controller.api.role.SecurityContext;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade;
+import com.yahoo.vespa.hosted.controller.security.Credentials;
import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant;
import com.yahoo.vespa.hosted.controller.tenant.Tenant;
-import com.yahoo.vespa.hosted.controller.tenant.UserTenant;
import com.yahoo.yolean.Exceptions;
import java.net.URI;
@@ -82,13 +82,13 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
AthenzIdentity identity = principal.getIdentity();
+ Set<Role> roleMemberships = new HashSet<>();
if (athenz.hasHostedOperatorAccess(identity))
- return Set.of(Role.hostedOperator());
+ roleMemberships.add(Role.hostedOperator());
- // A principal can be both tenant admin and tenantPipeline
- Set<Role> roleMemberships = new HashSet<>();
- if (tenant.isPresent() && isTenantAdmin(identity, tenant.get()))
- roleMemberships.add(Role.athenzTenantAdmin(tenant.get().name()));
+ // Add all tenants that are accessible for this request
+ athenz.accessibleTenants(tenants.asList(), new Credentials(principal))
+ .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name())));
if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent())
// NOTE: Only fine-grained deploy authorization for Athenz tenants
@@ -114,14 +114,6 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
: Set.copyOf(roleMemberships);
}
- private boolean isTenantAdmin(AthenzIdentity identity, Tenant tenant) {
- switch (tenant.type()) {
- case athenz: return athenz.hasTenantAdminAccess(identity, ((AthenzTenant) tenant).domain());
- case user: return ((UserTenant) tenant).is(identity.getName()) || athenz.hasHostedOperatorAccess(identity);
- default: throw new IllegalArgumentException("Unexpected tenant type '" + tenant.type() + "'.");
- }
- }
-
private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application) {
try {
return athenz.hasApplicationAccess(identity,