Add feature flag for configserver rpc authorization

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-05-29 15:41:05 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-05-29 15:51:54 +0200
commit: 77f8294de74c47c961f3911f639b7537117e1ef4 (patch)
tree: 2b9f9a3fa72a62627d8b48953bc1e143a9c3fd42 /configserver
parent: 35ac6a771494a59dfec0fa372c375a713c1db366 (diff)
2 files changed, 20 insertions, 7 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
index b069991010a..b129e53f7d3 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java
@@ -8,6 +8,8 @@ import com.yahoo.container.di.componentgraph.Provider;
 import com.yahoo.security.tls.TransportSecurityUtils;
 import com.yahoo.vespa.config.server.host.HostRegistries;
 import com.yahoo.vespa.config.server.rpc.RequestHandlerProvider;
+import com.yahoo.vespa.flags.FlagSource;
+import com.yahoo.vespa.flags.Flags;
 
 /**
  * A provider for {@link RpcAuthorizer}. The instance provided is dependent on the configuration of the configserver.
@@ -22,13 +24,25 @@ public class DefaultRpcAuthorizerProvider implements Provider<RpcAuthorizer> {
     public DefaultRpcAuthorizerProvider(ConfigserverConfig config,
                                         NodeIdentifier nodeIdentifier,
                                         HostRegistries hostRegistries,
-                                        RequestHandlerProvider handlerProvider) {
+                                        RequestHandlerProvider handlerProvider,
+                                        FlagSource flagSource) {
+        String authorizerMode = Flags.CONFIGSERVER_RPC_AUTHORIZER.bindTo(flagSource).value();
+        boolean useMultiTenantAuthorizer =
+                TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() && !authorizerMode.equals("disable");
         this.rpcAuthorizer =
-                TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa()
-                        ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider)
+                useMultiTenantAuthorizer
+                        ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider, toMultiTenantRpcAuthorizerMode(authorizerMode))
                         : new NoopRpcAuthorizer();
     }
 
+    private static MultiTenantRpcAuthorizer.Mode toMultiTenantRpcAuthorizerMode(String authorizerMode) {
+        switch (authorizerMode) {
+            case "log-only": return MultiTenantRpcAuthorizer.Mode.LOG_ONLY;
+            case "enforce": return MultiTenantRpcAuthorizer.Mode.ENFORCE;
+            default: throw new IllegalArgumentException("Invalid authorizer mode: " + authorizerMode);
+        }
+    }
+
     @Override
     public RpcAuthorizer get() {
         return rpcAuthorizer;
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
index 2527569bea4..93ece2069b4 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
@@ -1,7 +1,6 @@
 // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.config.server.rpc.security;
 
-import com.google.inject.Inject;
 import com.yahoo.concurrent.DaemonThreadFactory;
 import com.yahoo.config.FileReference;
 import com.yahoo.config.provision.ApplicationId;
@@ -49,15 +48,15 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
     private final Executor executor;
     private final Mode mode;
 
-    @Inject
     public MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier,
                                     HostRegistries hostRegistries,
-                                    RequestHandlerProvider handlerProvider) {
+                                    RequestHandlerProvider handlerProvider,
+                                    Mode mode) {
         this(nodeIdentifier,
              hostRegistries.getTenantHostRegistry(),
              handlerProvider,
              Executors.newFixedThreadPool(4, new DaemonThreadFactory("RPC-Authorizer-")),
-             Mode.LOG_ONLY); // TODO Change default mode
+             mode);
     }
 
     MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier,
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-05-29 15:41:05 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-05-29 15:51:54 +0200
commit	77f8294de74c47c961f3911f639b7537117e1ef4 (patch)
tree	2b9f9a3fa72a62627d8b48953bc1e143a9c3fd42 /configserver
parent	35ac6a771494a59dfec0fa372c375a713c1db366 (diff)