Add trusted ports to the NodeAcl object

3 files changed, 31 insertions, 6 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index 2ef79ec53dd..4bf7e70d06b 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -166,11 +166,12 @@ public class NodeRepository extends AbstractComponent {
     public List<Node> getFailed() { return db.getNodes(Node.State.failed); }
 
     /**
-     * Returns a set of nodes that should be trusted by the given node.
+     * Returns the ACL for the node (trusted nodes, networks and ports)
      */
     private NodeAcl getNodeAcl(Node node, NodeList candidates) {
         Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname));
         Set<String> trustedNetworks = new HashSet<>();
+        Set<Integer> trustedPorts = new HashSet<>();
 
         // For all cases below, trust:
         // - nodes in same application
@@ -198,13 +199,18 @@ public class NodeRepository extends AbstractComponent {
             case config:
                 // Config servers trust all nodes
                 trustedNodes.addAll(candidates.asList());
+
+                // And all connections on 4443
+                trustedPorts.add(4443);
                 break;
 
             case proxy:
-                // No special rules for proxies
+                // Accept connections from the world on 4443
+                trustedPorts.add(4443);
                 break;
 
             case host:
+                // This is only needed for macvlan networks - for nated networks this is handled elsewhere.
                 // Docker bridge network
                 trustedNetworks.add("172.17.0.0/16");
                 break;
@@ -215,7 +221,7 @@ public class NodeRepository extends AbstractComponent {
                                 node.hostname(), node.type()));
         }
 
-        return new NodeAcl(node, trustedNodes, trustedNetworks);
+        return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts);
     }
 
     /**
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index a6190f41c07..34a8b414ef4 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -17,11 +17,13 @@ public class NodeAcl {
     private final Node node;
     private final Set<Node> trustedNodes;
     private final Set<String> trustedNetworks;
+    private final Set<Integer> trustedPorts;
 
-    public NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks) {
+    public NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks, Set<Integer> trustedPorts) {
         this.node = node;
         this.trustedNodes = ImmutableSet.copyOf(trustedNodes);
         this.trustedNetworks = ImmutableSet.copyOf(trustedNetworks);
+        this.trustedPorts = ImmutableSet.copyOf(trustedPorts);
     }
 
     public Node node() {
@@ -35,4 +37,8 @@ public class NodeAcl {
     public Set<String> trustedNetworks() {
         return trustedNetworks;
     }
+
+    public Set<Integer> trustedPorts() {
+        return trustedPorts;
+    }
 }
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java
index 65b727ad0dd..e2eff619007 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java
@@ -49,6 +49,11 @@ public class NodeAclResponse extends HttpResponse {
         nodeRepository.getNodeAcls(node, aclsForChildren).forEach(nodeAcl -> toSlime(nodeAcl.trustedNetworks(),
                                                                                      nodeAcl.node(),
                                                                                      trustedNetworksArray));
+
+        Cursor trustedPortsArray = object.setArray("trustedPorts");
+        nodeRepository.getNodeAcls(node, aclsForChildren).forEach(nodeAcl -> toSlime(nodeAcl.trustedPorts(),
+                nodeAcl,
+                trustedNetworksArray));
     }
 
     private void toSlime(NodeAcl nodeAcl, Cursor array) {
@@ -61,11 +66,19 @@ public class NodeAclResponse extends HttpResponse {
         }));
     }
 
-    private void toSlime(Set<String> trustedNetworks, Node trustedBy, Cursor array) {
+    private void toSlime(Set<String> trustedNetworks, Node trustedby, Cursor array) {
         trustedNetworks.forEach(network -> {
             Cursor object = array.addObject();
             object.setString("network", network);
-            object.setString("trustedBy", trustedBy.hostname());
+            object.setString("trustedBy", trustedby.hostname());
+        });
+    }
+
+    private void toSlime(Set<Integer> trustedPorts, NodeAcl trustedBy, Cursor array) {
+        trustedPorts.forEach(port -> {
+            Cursor object = array.addObject();
+            object.setLong("port", port);
+            object.setString("trustedBy", trustedBy.node().hostname());
         });
     }