diff --git a/maas-api/internal/tier/mapper.go b/maas-api/internal/tier/mapper.go index 4722aaa48..c24f73e8f 100644 --- a/maas-api/internal/tier/mapper.go +++ b/maas-api/internal/tier/mapper.go @@ -109,7 +109,7 @@ func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) { for i := range tiers { tier := &tiers[i] - tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccount:%s", m.projectedNsName(tier))) + tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccounts:%s", m.projectedNsName(tier))) } return tiers, nil diff --git a/maas-api/internal/tier/mapper_test.go b/maas-api/internal/tier/mapper_test.go index 6dc7c97e1..ef877403b 100644 --- a/maas-api/internal/tier/mapper_test.go +++ b/maas-api/internal/tier/mapper_test.go @@ -41,10 +41,16 @@ func TestMapper_GetTierForGroups(t *testing.T) { }, { name: "inferred SA group - free tier", - groups: []string{"system:serviceaccount:test-tenant-tier-free"}, + groups: []string{"system:serviceaccounts:test-tenant-tier-free"}, expectedTier: "free", description: "User belongs to only free tier group", }, + { + name: "inferred SA group - premium tier", + groups: []string{"system:serviceaccounts:test-tenant-tier-premium"}, + expectedTier: "premium", + description: "User belongs to only premium tier group", + }, { name: "single group - premium tier", groups: []string{"premium-users"}, @@ -87,6 +93,12 @@ func TestMapper_GetTierForGroups(t *testing.T) { expectedTier: "developer", description: "User belongs to both premium and developer - developer has higher level (15 > 10)", }, + { + name: "multiple groups - service account groups", + groups: []string{"system:serviceaccounts", "system:serviceaccounts:test-tenant-tier-premium", "system:authenticated"}, + expectedTier: "premium", + description: "User belongs to both premium and developer - developer has higher level (15 > 10)", + }, { name: "three groups - enterprise wins", groups: []string{"free-users", "premium-users", "enterprise-users"},