From 0d0e4c109ab23e9db7185ffe690dcab325ac072a Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@verizonmedia.com>
Date: Fri, 8 Nov 2019 14:22:13 +0100
Subject: Define access control '/system-flags/v1' dry-run

---
 .../com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java | 4 ++--
 .../vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java    | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

(limited to 'controller-server')

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 8f84845a94b..bb6777b9e27 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -208,8 +208,8 @@ public class AthenzFacade implements AccessControl {
         return hasAccess("launch", service.getDomain().getName() + ":service."+service.getName(), principal);
     }
 
-    public boolean hasSystemFlagsDeployAccess(AthenzIdentity identity) {
-        return hasAccess("deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
+    public boolean hasSystemFlagsAccess(AthenzIdentity identity, boolean dryRun) {
+        return hasAccess(dryRun ? "dryrun" : "deploy", new AthenzResourceName(service.getDomain(), "system-flags").toResourceNameString(), identity);
     }
 
     /**
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 2a75c7953ca..56b2de33478 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -101,10 +101,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
             && instance.get().value().equals(principal.getIdentity().getName()))
             roleMemberships.add(Role.athenzUser(tenant.get().name(), application.get(), instance.get()));
 
-        if (athenz.hasSystemFlagsDeployAccess(identity)) {
+        if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) {
             roleMemberships.add(Role.systemFlagsDeployer());
         }
 
+        if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true)) {
+            roleMemberships.add(Role.systemFlagsDryrunner());
+        }
+
         return roleMemberships.isEmpty()
                 ? Set.of(Role.everyone())
                 : Set.copyOf(roleMemberships);
-- 
cgit v1.2.3