diff options
Diffstat (limited to 'controller-server')
6 files changed, 14 insertions, 13 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 21a1b3c1eda..3f985e95a4f 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -128,7 +128,6 @@ public class ApplicationController { private final RoutingPolicies routingPolicies; private final Clock clock; private final DeploymentTrigger deploymentTrigger; - private final BooleanFlag provisionApplicationCertificate; private final ApplicationPackageValidator applicationPackageValidator; ApplicationController(Controller controller, CuratorDb curator, @@ -146,7 +145,6 @@ public class ApplicationController { routingPolicies = new RoutingPolicies(controller); rotationRepository = new RotationRepository(rotationsConfig, this, curator); deploymentTrigger = new DeploymentTrigger(controller, clock); - provisionApplicationCertificate = Flags.PROVISION_APPLICATION_CERTIFICATE.bindTo(controller.flagSource()); applicationPackageValidator = new ApplicationPackageValidator(controller); // Update serialization format of all applications @@ -565,12 +563,6 @@ public class ApplicationController { } private Optional<ApplicationCertificate> getApplicationCertificate(Instance instance) { - boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID, - instance.id().serializedForm()).value(); - if (!provisionCertificate) { - return Optional.empty(); - } - // Re-use certificate if already provisioned Optional<ApplicationCertificate> applicationCertificate = curator.readApplicationCertificate(instance.id()); if(applicationCertificate.isPresent()) diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 8f84845a94b..bb6777b9e27 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -208,8 +208,8 @@ public class AthenzFacade implements AccessControl { return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal); } - public boolean hasSystemFlagsDeployAccess(AthenzIdentity identity) { - return hasAccess("deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity); + public boolean hasSystemFlagsAccess(AthenzIdentity identity, boolean dryRun) { + return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity); } /** diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java index 8cb5b08bcdb..b9c6fd8c555 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java @@ -701,6 +701,12 @@ public class InternalStepRunner implements StepRunner { String resourceString = String.format(Locale.ENGLISH, "<resources vcpu=\"%.2f\" memory=\"%.2fGb\" disk=\"%.2fGb\" disk-speed=\"%s\"/>", resources.vcpu(), resources.memoryGb(), resources.diskGb(), resources.diskSpeed().name()); + /* TODO after 18 November 2019, include storageType: + String resourceString = String.format(Locale.ENGLISH, + "<resources vcpu=\"%.2f\" memory=\"%.2fGb\" disk=\"%.2fGb\" disk-speed=\"%s\" storage-type=\"%s\"/>", + resources.vcpu(), resources.memoryGb(), resources.diskGb(), resources.diskSpeed().name(), resources.storageType().name()); + + */ AthenzDomain idDomain = ("vespa.vespa.cd".equals(domain.value()) ? AthenzDomain.from("vespa.vespa") : domain); String servicesXml = diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 2a75c7953ca..56b2de33478 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -101,10 +101,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { && instance.get().value().equals(principal.getIdentity().getName())) roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get())); - if (athenz.hasSystemFlagsDeployAccess(identity)) { + if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) { roleMemberships.add(Role.systemFlagsDeployer()); } + if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true)) { + roleMemberships.add(Role.systemFlagsDryrunner()); + } + return roleMemberships.isEmpty() ? Set.of(Role.everyone()) : Set.copyOf(roleMemberships); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java index 08bb7628080..32cb79963c1 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/SystemFlagsHandler.java @@ -22,7 +22,7 @@ import java.util.concurrent.Executor; * @author bjorncs */ @SuppressWarnings("unused") // Request handler listed in controller's services.xml -class SystemFlagsHandler extends LoggingRequestHandler { +public class SystemFlagsHandler extends LoggingRequestHandler { private static final String API_PREFIX = "/system-flags/v1"; diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java index dbe451fd433..52ac9c8088a 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/ControllerTest.java @@ -741,7 +741,6 @@ public class ControllerTest { @Test public void testDeploySelectivelyProvisionsCertificate() { - ((InMemoryFlagSource) tester.controller().flagSource()).withBooleanFlag(Flags.PROVISION_APPLICATION_CERTIFICATE.id(), true); Function<Instance, Optional<ApplicationCertificate>> certificate = (application) -> tester.controller().curator().readApplicationCertificate(application.id()); // Create app1 |