diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-29 15:41:05 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-29 15:51:54 +0200 |
commit | 77f8294de74c47c961f3911f639b7537117e1ef4 (patch) | |
tree | 2b9f9a3fa72a62627d8b48953bc1e143a9c3fd42 /configserver | |
parent | 35ac6a771494a59dfec0fa372c375a713c1db366 (diff) |
Add feature flag for configserver rpc authorization
Diffstat (limited to 'configserver')
2 files changed, 20 insertions, 7 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java index b069991010a..b129e53f7d3 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java @@ -8,6 +8,8 @@ import com.yahoo.container.di.componentgraph.Provider; import com.yahoo.security.tls.TransportSecurityUtils; import com.yahoo.vespa.config.server.host.HostRegistries; import com.yahoo.vespa.config.server.rpc.RequestHandlerProvider; +import com.yahoo.vespa.flags.FlagSource; +import com.yahoo.vespa.flags.Flags; /** * A provider for {@link RpcAuthorizer}. The instance provided is dependent on the configuration of the configserver. @@ -22,13 +24,25 @@ public class DefaultRpcAuthorizerProvider implements Provider<RpcAuthorizer> { public DefaultRpcAuthorizerProvider(ConfigserverConfig config, NodeIdentifier nodeIdentifier, HostRegistries hostRegistries, - RequestHandlerProvider handlerProvider) { + RequestHandlerProvider handlerProvider, + FlagSource flagSource) { + String authorizerMode = Flags.CONFIGSERVER_RPC_AUTHORIZER.bindTo(flagSource).value(); + boolean useMultiTenantAuthorizer = + TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() && !authorizerMode.equals("disable"); this.rpcAuthorizer = - TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() - ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider) + useMultiTenantAuthorizer + ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider, toMultiTenantRpcAuthorizerMode(authorizerMode)) : new NoopRpcAuthorizer(); } + private static MultiTenantRpcAuthorizer.Mode toMultiTenantRpcAuthorizerMode(String authorizerMode) { + switch (authorizerMode) { + case "log-only": return MultiTenantRpcAuthorizer.Mode.LOG_ONLY; + case "enforce": return MultiTenantRpcAuthorizer.Mode.ENFORCE; + default: throw new IllegalArgumentException("Invalid authorizer mode: " + authorizerMode); + } + } + @Override public RpcAuthorizer get() { return rpcAuthorizer; diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index 2527569bea4..93ece2069b4 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -1,7 +1,6 @@ // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.config.server.rpc.security; -import com.google.inject.Inject; import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.config.FileReference; import com.yahoo.config.provision.ApplicationId; @@ -49,15 +48,15 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { private final Executor executor; private final Mode mode; - @Inject public MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier, HostRegistries hostRegistries, - RequestHandlerProvider handlerProvider) { + RequestHandlerProvider handlerProvider, + Mode mode) { this(nodeIdentifier, hostRegistries.getTenantHostRegistry(), handlerProvider, Executors.newFixedThreadPool(4, new DaemonThreadFactory("RPC-Authorizer-")), - Mode.LOG_ONLY); // TODO Change default mode + mode); } MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier, |