diff options
author | toby <smorgrav@yahoo-inc.com> | 2018-04-09 14:24:34 +0200 |
---|---|---|
committer | toby <smorgrav@yahoo-inc.com> | 2018-04-09 15:17:00 +0200 |
commit | dc16854abbca84a6b684aea0bb7d4d742e02e2c4 (patch) | |
tree | 6e1bcbdc2b2eb86314277b5c764de8425cc1a49c | |
parent | 43eaa4fa40b9f5fce07c4b5c991f551f93b44883 (diff) |
Add trusted ports to the NodeAcl object
3 files changed, 31 insertions, 6 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index 2ef79ec53dd..4bf7e70d06b 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -166,11 +166,12 @@ public class NodeRepository extends AbstractComponent { public List<Node> getFailed() { return db.getNodes(Node.State.failed); } /** - * Returns a set of nodes that should be trusted by the given node. + * Returns the ACL for the node (trusted nodes, networks and ports) */ private NodeAcl getNodeAcl(Node node, NodeList candidates) { Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname)); Set<String> trustedNetworks = new HashSet<>(); + Set<Integer> trustedPorts = new HashSet<>(); // For all cases below, trust: // - nodes in same application @@ -198,13 +199,18 @@ public class NodeRepository extends AbstractComponent { case config: // Config servers trust all nodes trustedNodes.addAll(candidates.asList()); + + // And all connections on 4443 + trustedPorts.add(4443); break; case proxy: - // No special rules for proxies + // Accept connections from the world on 4443 + trustedPorts.add(4443); break; case host: + // This is only needed for macvlan networks - for nated networks this is handled elsewhere. // Docker bridge network trustedNetworks.add("172.17.0.0/16"); break; @@ -215,7 +221,7 @@ public class NodeRepository extends AbstractComponent { node.hostname(), node.type())); } - return new NodeAcl(node, trustedNodes, trustedNetworks); + return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts); } /** diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index a6190f41c07..34a8b414ef4 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -17,11 +17,13 @@ public class NodeAcl { private final Node node; private final Set<Node> trustedNodes; private final Set<String> trustedNetworks; + private final Set<Integer> trustedPorts; - public NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks) { + public NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks, Set<Integer> trustedPorts) { this.node = node; this.trustedNodes = ImmutableSet.copyOf(trustedNodes); this.trustedNetworks = ImmutableSet.copyOf(trustedNetworks); + this.trustedPorts = ImmutableSet.copyOf(trustedPorts); } public Node node() { @@ -35,4 +37,8 @@ public class NodeAcl { public Set<String> trustedNetworks() { return trustedNetworks; } + + public Set<Integer> trustedPorts() { + return trustedPorts; + } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java index 65b727ad0dd..e2eff619007 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java @@ -49,6 +49,11 @@ public class NodeAclResponse extends HttpResponse { nodeRepository.getNodeAcls(node, aclsForChildren).forEach(nodeAcl -> toSlime(nodeAcl.trustedNetworks(), nodeAcl.node(), trustedNetworksArray)); + + Cursor trustedPortsArray = object.setArray("trustedPorts"); + nodeRepository.getNodeAcls(node, aclsForChildren).forEach(nodeAcl -> toSlime(nodeAcl.trustedPorts(), + nodeAcl, + trustedNetworksArray)); } private void toSlime(NodeAcl nodeAcl, Cursor array) { @@ -61,11 +66,19 @@ public class NodeAclResponse extends HttpResponse { })); } - private void toSlime(Set<String> trustedNetworks, Node trustedBy, Cursor array) { + private void toSlime(Set<String> trustedNetworks, Node trustedby, Cursor array) { trustedNetworks.forEach(network -> { Cursor object = array.addObject(); object.setString("network", network); - object.setString("trustedBy", trustedBy.hostname()); + object.setString("trustedBy", trustedby.hostname()); + }); + } + + private void toSlime(Set<Integer> trustedPorts, NodeAcl trustedBy, Cursor array) { + trustedPorts.forEach(port -> { + Cursor object = array.addObject(); + object.setLong("port", port); + object.setString("trustedBy", trustedBy.node().hostname()); }); } |