Add feature flag for configserver rpc authorization

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-05-29 15:41:05 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-05-29 15:51:54 +0200
commit: 77f8294de74c47c961f3911f639b7537117e1ef4 (patch)
tree: 2b9f9a3fa72a62627d8b48953bc1e143a9c3fd42 /configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
parent: 35ac6a771494a59dfec0fa372c375a713c1db366 (diff)
1 files changed, 17 insertions, 3 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
index b069991010a..b129e53f7d3 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
@@ -8,6 +8,8 @@ import com.yahoo.container.di.componentgraph.Provider;
 import com.yahoo.security.tls.TransportSecurityUtils;
 import com.yahoo.vespa.config.server.host.HostRegistries;
 import com.yahoo.vespa.config.server.rpc.RequestHandlerProvider;
+import com.yahoo.vespa.flags.FlagSource;
+import com.yahoo.vespa.flags.Flags;
 
 /**
  * A provider for {@link RpcAuthorizer}. The instance provided is dependent on the configuration of the configserver.
@@ -22,13 +24,25 @@ public class DefaultRpcAuthorizerProvider implements Provider<RpcAuthorizer> {
     public DefaultRpcAuthorizerProvider(ConfigserverConfig config,
                                         NodeIdentifier nodeIdentifier,
                                         HostRegistries hostRegistries,
-                                        RequestHandlerProvider handlerProvider) {
+                                        RequestHandlerProvider handlerProvider,
+                                        FlagSource flagSource) {
+        String authorizerMode = Flags.CONFIGSERVER_RPC_AUTHORIZER.bindTo(flagSource).value();
+        boolean useMultiTenantAuthorizer =
+                TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() && !authorizerMode.equals("disable");
         this.rpcAuthorizer =
-                TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa()
-                        ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider)
+                useMultiTenantAuthorizer
+                        ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider, toMultiTenantRpcAuthorizerMode(authorizerMode))
                         : new NoopRpcAuthorizer();
     }
 
+    private static MultiTenantRpcAuthorizer.Mode toMultiTenantRpcAuthorizerMode(String authorizerMode) {
+        switch (authorizerMode) {
+            case "log-only": return MultiTenantRpcAuthorizer.Mode.LOG_ONLY;
+            case "enforce": return MultiTenantRpcAuthorizer.Mode.ENFORCE;
+            default: throw new IllegalArgumentException("Invalid authorizer mode: " + authorizerMode);
+        }
+    }
+
     @Override
     public RpcAuthorizer get() {
         return rpcAuthorizer;
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-05-29 15:41:05 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-05-29 15:51:54 +0200
commit	77f8294de74c47c961f3911f639b7537117e1ef4 (patch)
tree	2b9f9a3fa72a62627d8b48953bc1e143a9c3fd42 /configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
parent	35ac6a771494a59dfec0fa372c375a713c1db366 (diff)