diff options
Diffstat (limited to 'controller-server')
2 files changed, 7 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 8f84845a94b..bb6777b9e27 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -208,8 +208,8 @@ public class AthenzFacade implements AccessControl { return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal); } - public boolean hasSystemFlagsDeployAccess(AthenzIdentity identity) { - return hasAccess("deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity); + public boolean hasSystemFlagsAccess(AthenzIdentity identity, boolean dryRun) { + return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity); } /** diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 2a75c7953ca..56b2de33478 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -101,10 +101,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { && instance.get().value().equals(principal.getIdentity().getName())) roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get())); - if (athenz.hasSystemFlagsDeployAccess(identity)) { + if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) { roleMemberships.add(Role.systemFlagsDeployer()); } + if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true)) { + roleMemberships.add(Role.systemFlagsDryrunner()); + } + return roleMemberships.isEmpty() ? Set.of(Role.everyone()) : Set.copyOf(roleMemberships); |