diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-29 15:41:05 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-29 15:51:54 +0200 |
commit | 77f8294de74c47c961f3911f639b7537117e1ef4 (patch) | |
tree | 2b9f9a3fa72a62627d8b48953bc1e143a9c3fd42 /configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java | |
parent | 35ac6a771494a59dfec0fa372c375a713c1db366 (diff) |
Add feature flag for configserver rpc authorization
Diffstat (limited to 'configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java')
-rw-r--r-- | configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java index b069991010a..b129e53f7d3 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java @@ -8,6 +8,8 @@ import com.yahoo.container.di.componentgraph.Provider; import com.yahoo.security.tls.TransportSecurityUtils; import com.yahoo.vespa.config.server.host.HostRegistries; import com.yahoo.vespa.config.server.rpc.RequestHandlerProvider; +import com.yahoo.vespa.flags.FlagSource; +import com.yahoo.vespa.flags.Flags; /** * A provider for {@link RpcAuthorizer}. The instance provided is dependent on the configuration of the configserver. @@ -22,13 +24,25 @@ public class DefaultRpcAuthorizerProvider implements Provider<RpcAuthorizer> { public DefaultRpcAuthorizerProvider(ConfigserverConfig config, NodeIdentifier nodeIdentifier, HostRegistries hostRegistries, - RequestHandlerProvider handlerProvider) { + RequestHandlerProvider handlerProvider, + FlagSource flagSource) { + String authorizerMode = Flags.CONFIGSERVER_RPC_AUTHORIZER.bindTo(flagSource).value(); + boolean useMultiTenantAuthorizer = + TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() && !authorizerMode.equals("disable"); this.rpcAuthorizer = - TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() - ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider) + useMultiTenantAuthorizer + ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider, toMultiTenantRpcAuthorizerMode(authorizerMode)) : new NoopRpcAuthorizer(); } + private static MultiTenantRpcAuthorizer.Mode toMultiTenantRpcAuthorizerMode(String authorizerMode) { + switch (authorizerMode) { + case "log-only": return MultiTenantRpcAuthorizer.Mode.LOG_ONLY; + case "enforce": return MultiTenantRpcAuthorizer.Mode.ENFORCE; + default: throw new IllegalArgumentException("Invalid authorizer mode: " + authorizerMode); + } + } + @Override public RpcAuthorizer get() { return rpcAuthorizer; |