summaryrefslogtreecommitdiffstats
path: root/controller-server
diff options
context:
space:
mode:
authorValerij Fredriksen <freva@users.noreply.github.com>2021-04-09 08:22:27 +0200
committerGitHub <noreply@github.com>2021-04-09 08:22:27 +0200
commit95fa96bc64dfc17a356835d456187632f6524383 (patch)
treea7f5810eb1ca33605a2cdba4952e6bc79516ddb0 /controller-server
parentf5e6496a5b8e39371ca56c3ae1147d5fc6fd43cd (diff)
Limit archive IAM role length (#17320)
Diffstat (limited to 'controller-server')
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java5
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java2
2 files changed, 5 insertions, 2 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java
index 0037048fca8..8bc2271825b 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java
@@ -31,8 +31,9 @@ public class CuratorArchiveBucketDb implements ArchiveBucketDb {
/**
* Due to policy limits, we can't put data for more than this many tenants in a bucket.
- * Policy size limit is 20kb, with approx. 500 bytes of policy required per tenant = 40 tenants.
- * We set the maximum a bit lower to have a solid margin of error.
+ * Policy size limit is 20kb, about 550 bytes for non-tenant related policies. Each tenant
+ * needs about 500 + len(role_arn) bytes, we limit role_arn to 100 characters, so we can
+ * fit about (20k - 550) / 600 ~ 32 tenants per bucket.
*/
private final static int TENANTS_PER_BUCKET = 30;
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java
index 4f9702669dd..7e68ca289f6 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java
@@ -42,6 +42,8 @@ public class CloudTenant extends Tenant {
if (!archiveAccessRole.map(role -> VALID_ARCHIVE_ACCESS_ROLE_PATTERN.matcher(role).matches()).orElse(true))
throw new IllegalArgumentException(String.format("Invalid archive access role '%s': Must match expected pattern: '%s'",
archiveAccessRole.get(), VALID_ARCHIVE_ACCESS_ROLE_PATTERN.pattern()));
+ if (archiveAccessRole.map(role -> role.length() > 100).orElse(false))
+ throw new IllegalArgumentException("Invalid archive access role too long, must be 100 or less characters");
}
/** Creates a tenant with the given name, provided it passes validation. */