From f5199a595b99623ccd2ec9c7c04a969640279381 Mon Sep 17 00:00:00 2001 From: Øyvind Grønnesby Date: Wed, 3 Mar 2021 13:45:22 +0100 Subject: Give tenant admin the right to revoke keys --- .../main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java | 5 +++++ .../com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java | 1 + 2 files changed, 6 insertions(+) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index ecf3d29bc1a..ad739d16ff8 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -102,6 +102,11 @@ enum Policy { .on(PathGroup.tenantKeys, PathGroup.applicationKeys) .in(SystemName.all())), + /** Access to revoke keys from the tenant */ + keyRevokal(Privilege.grant(Action.delete) + .on(PathGroup.tenantKeys, PathGroup.applicationKeys) + .in(SystemName.all())), + /** Full access to application development deployments. */ developmentDeployment(Privilege.grant(Action.all()) .on(PathGroup.developmentDeployment, PathGroup.developmentRestart) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 3b861c607b1..40903b02465 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -63,6 +63,7 @@ public enum RoleDefinition { Policy.tenantManager, Policy.tenantDelete, Policy.applicationManager, + Policy.keyRevokal, Policy.paymentInstrumentRead, Policy.paymentInstrumentUpdate, Policy.paymentInstrumentDelete, -- cgit v1.2.3