diff options
Diffstat (limited to 'controller-server')
2 files changed, 10 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 70c504dd220..8f84845a94b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -208,6 +208,10 @@ public class AthenzFacade implements AccessControl { return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal); } + public boolean hasSystemFlagsDeployAccess(AthenzIdentity identity) { + return hasAccess("deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity); + } + /** * Used when creating tenancies. As there are no tenancy policies at this point, * we cannot use {@link #hasTenantAdminAccess(AthenzIdentity, AthenzDomain)} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 8ee95675465..2a75c7953ca 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -11,6 +11,7 @@ import com.yahoo.restapi.Path; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; +import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.client.zms.ZmsClientException; import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.TenantController; @@ -96,9 +97,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { roleMemberships.add(Role.tenantPipeline(tenant.get().name(), application.get())); if ( tenant.isPresent() && application.isPresent() && instance.isPresent() + && principal.getIdentity() instanceof AthenzUser && instance.get().value().equals(principal.getIdentity().getName())) roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get())); + if (athenz.hasSystemFlagsDeployAccess(identity)) { + roleMemberships.add(Role.systemFlagsDeployer()); + } + return roleMemberships.isEmpty() ? Set.of(Role.everyone()) : Set.copyOf(roleMemberships); |