From def6d57968bad732ba7f9445bb83f8f1883d9de7 Mon Sep 17 00:00:00 2001 From: Ola Aunrønning Date: Mon, 14 Mar 2022 11:57:23 +0100 Subject: Consider effect equality --- .../controller/api/integration/athenz/AthenzAccessControlService.java | 4 +++- .../src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 3a42c0c6535..317229f9e9a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -165,6 +165,8 @@ public class AthenzAccessControlService implements AccessControlService { private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) { var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver"); - return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members").build(); + return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members") + .effect(AthenzAssertion.Effect.ALLOW) + .build(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java index cf6f40155fc..49cc31fe8c2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java @@ -39,6 +39,7 @@ public class AthenzAssertion { public boolean satisfies(AthenzAssertion other) { return role.equals(other.role()) && action.equals(other.action()) && + effect().equals(other.effect()) && resource.equals(other.resource()); } -- cgit v1.2.3