diff options
| author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-06-05 13:53:24 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-06-05 13:53:24 +0200 |
| commit | 78976df860e95a1c4a95bef9139f9d5d36a697cb (patch) | |
| tree | a9995a3e79904aca10279aa6765fba646a614079 /configserver | |
| parent | fe1a5ab9f27b7be4d15aaf2ee640e86e79701e14 (diff) | |
Allow nodes not in host registry to access sentinel config
Diffstat (limited to 'configserver')
2 files changed, 31 insertions, 3 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index 87daf1181da..98d52783320 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -1,6 +1,7 @@ // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.config.server.rpc.security; +import com.yahoo.cloud.config.SentinelConfig; import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.config.FileReference; import com.yahoo.config.provision.ApplicationId; @@ -111,9 +112,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { return; // global config access ok } else { String hostname = configRequest.getClientHostName(); - TenantName tenantName = Optional.ofNullable(hostRegistry.getKeyForHost(hostname)) - .orElseThrow(() -> new AuthorizationException(String.format("Host '%s' not found in host registry", hostname))); - RequestHandler tenantHandler = getTenantHandler(tenantName); + Optional<TenantName> tenantName = Optional.ofNullable(hostRegistry.getKeyForHost(hostname)); + if (tenantName.isEmpty()) { + if (isConfigKeyForSentinelConfig(configKey)) { + return; // config processor will return empty sentinel config for unknown nodes + } + throw new AuthorizationException(String.format("Host '%s' not found in host registry", hostname)); + } + RequestHandler tenantHandler = getTenantHandler(tenantName.get()); ApplicationId resolvedApplication = tenantHandler.resolveApplicationId(hostname); ApplicationId peerOwner = applicationId(peerIdentity); if (peerOwner.equals(resolvedApplication)) { @@ -187,6 +193,11 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { return "*".equals(configKey.getConfigId()); } + private static boolean isConfigKeyForSentinelConfig(ConfigKey<?> configKey) { + return SentinelConfig.getDefName().equals(configKey.getName()) + && SentinelConfig.getDefNamespace().equals(configKey.getNamespace()); + } + private static ApplicationId applicationId(NodeIdentity peerIdentity) { return peerIdentity.applicationId() .orElseThrow(() -> new AuthorizationException("Peer node is not associated with an application: " + peerIdentity.toString())); diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java index b0f4bd3a4ee..a1d4f28cb74 100644 --- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java +++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.config.server.rpc.security;// Copyright 2018 Yahoo Holdi import com.yahoo.cloud.config.LbServicesConfig; import com.yahoo.cloud.config.RoutingConfig; +import com.yahoo.cloud.config.SentinelConfig; import com.yahoo.config.FileReference; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.HostName; @@ -213,6 +214,22 @@ public class MultiTenantRpcAuthorizerTest { .get(); } + @Test + public void tenant_node_not_in_hostregistry_allowed_to_access_sentinel_config() throws ExecutionException, InterruptedException { + NodeIdentity identity = new NodeIdentity.Builder(NodeType.tenant) + .applicationId(APPLICATION_ID) + .build(); + + HostRegistry<TenantName> hostRegistry = new HostRegistry<>(); + + RpcAuthorizer authorizer = createAuthorizer(identity, hostRegistry); + + Request configRequest = createConfigRequest(new ConfigKey<>(SentinelConfig.CONFIG_DEF_NAME, "configid", SentinelConfig.CONFIG_DEF_NAMESPACE), HOSTNAME); + + authorizer.authorizeConfigRequest(configRequest) + .get(); + } + private static RpcAuthorizer createAuthorizer(NodeIdentity identity, HostRegistry<TenantName> hostRegistry) { return new MultiTenantRpcAuthorizer( |