From 0d0e4c109ab23e9db7185ffe690dcab325ac072a Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Fri, 8 Nov 2019 14:22:13 +0100 Subject: Define access control '/system-flags/v1' dry-run --- .../yahoo/vespa/hosted/controller/api/role/PathGroup.java | 6 +++++- .../yahoo/vespa/hosted/controller/api/role/Policy.java | 11 ++++++++--- .../com/yahoo/vespa/hosted/controller/api/role/Role.java | 3 +++ .../vespa/hosted/controller/api/role/RoleDefinition.java | 4 +++- .../yahoo/vespa/hosted/controller/api/role/RoleTest.java | 15 +++++++++++---- 5 files changed, 30 insertions(+), 9 deletions(-) (limited to 'controller-api') diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 9db896bbb88..bf89d072b75 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -181,7 +181,11 @@ enum PathGroup { "/zone/v1/{*}"), /** Paths used for deploying system-wide feature flags. */ - systemFlags("/system-flags/v1/{*}"); + systemFlagsDeploy("/system-flags/v1/deploy"), + + + /** Paths used for "dry-running" system-wide feature flags. */ + systemFlagsDryrun("/system-flags/v1/dryrun"); final List pathSpecs; final String prefix; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 51f29626acf..074d3ef7e95 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -123,9 +123,14 @@ enum Policy { .on(PathGroup.publicInfo) .in(SystemName.all())), - /** Access to /system-flags/v1. */ - systemFlagsDeployment(Privilege.grant(Action.all()) - .on(PathGroup.systemFlags) + /** Access to /system-flags/v1/deploy. */ + systemFlagsDeploy(Privilege.grant(Action.update) + .on(PathGroup.systemFlagsDeploy) + .in(SystemName.all())), + + /** Access to /system-flags/v1/dryrun. */ + systemFlagsDryrun(Privilege.grant(Action.update) + .on(PathGroup.systemFlagsDryrun) .in(SystemName.all())); private final Set privileges; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java index e1497bd686e..b53cf9162e7 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java @@ -111,6 +111,9 @@ public abstract class Role { /** Returns the role for system flag deployer */ public static UnboundRole systemFlagsDeployer() { return new UnboundRole(RoleDefinition.systemFlagsDeployer); } + /** Returns the role for system flag dryrun */ + public static UnboundRole systemFlagsDryrunner() { return new UnboundRole(RoleDefinition.systemFlagsDryrunner); } + /** Returns the role definition of this bound role. */ public RoleDefinition definition() { return roleDefinition; } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index a261f5c7e8f..67efdc3017d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -115,7 +115,9 @@ public enum RoleDefinition { Policy.keyManagement, Policy.developmentDeployment), - systemFlagsDeployer(hostedOperator, Policy.systemFlagsDeployment); + systemFlagsDeployer(Policy.systemFlagsDeploy, Policy.systemFlagsDryrun), + + systemFlagsDryrunner(Policy.systemFlagsDryrun); private final Set parents; private final Set policies; diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index 6dd815f4f51..d153e218640 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -129,10 +129,17 @@ public class RoleTest { @Test public void system_flags() { - URI uri = URI.create("/system-flags/v1/deploy"); + URI deployUri = URI.create("/system-flags/v1/deploy"); Action action = Action.update; - assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, uri)); - assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, uri)); - assertFalse(mainEnforcer.allows(Role.everyone(), action, uri)); + assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, deployUri)); + assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, deployUri)); + assertFalse(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, deployUri)); + assertFalse(mainEnforcer.allows(Role.everyone(), action, deployUri)); + + URI dryrunUri = URI.create("/system-flags/v1/dryrun"); + assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, dryrunUri)); + assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, dryrunUri)); + assertTrue(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, dryrunUri)); + assertFalse(mainEnforcer.allows(Role.everyone(), action, dryrunUri)); } } -- cgit v1.2.3