From edb279bdfc1db05afda93bd206cded216cc8c3d3 Mon Sep 17 00:00:00 2001
From: Jon Marius Venstad <venstad@gmail.com>
Date: Mon, 27 Apr 2020 15:50:08 +0200
Subject: Disallow Screwdriver from submitting to the sandbox tenant

---
 .../vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 48118087a54..25ee95e6d80 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -105,7 +105,10 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
                   .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name())));
         }));
 
-        if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent())
+        if (     identity.getDomain().equals(SCREWDRIVER_DOMAIN)
+            &&   application.isPresent()
+            &&   tenant.isPresent()
+            && ! tenant.get().name().value().equals("sandbox"))
             futures.add(executor.submit(() -> {
                 if (   tenant.get().type() == Tenant.Type.athenz
                     && hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get()))
-- 
cgit v1.2.3