diff options
author | Valerij Fredriksen <freva@users.noreply.github.com> | 2021-04-09 08:22:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-09 08:22:27 +0200 |
commit | 95fa96bc64dfc17a356835d456187632f6524383 (patch) | |
tree | a7f5810eb1ca33605a2cdba4952e6bc79516ddb0 /controller-server | |
parent | f5e6496a5b8e39371ca56c3ae1147d5fc6fd43cd (diff) |
Limit archive IAM role length (#17320)
Diffstat (limited to 'controller-server')
2 files changed, 5 insertions, 2 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java index 0037048fca8..8bc2271825b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/archive/CuratorArchiveBucketDb.java @@ -31,8 +31,9 @@ public class CuratorArchiveBucketDb implements ArchiveBucketDb { /** * Due to policy limits, we can't put data for more than this many tenants in a bucket. - * Policy size limit is 20kb, with approx. 500 bytes of policy required per tenant = 40 tenants. - * We set the maximum a bit lower to have a solid margin of error. + * Policy size limit is 20kb, about 550 bytes for non-tenant related policies. Each tenant + * needs about 500 + len(role_arn) bytes, we limit role_arn to 100 characters, so we can + * fit about (20k - 550) / 600 ~ 32 tenants per bucket. */ private final static int TENANTS_PER_BUCKET = 30; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java index 4f9702669dd..7e68ca289f6 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java @@ -42,6 +42,8 @@ public class CloudTenant extends Tenant { if (!archiveAccessRole.map(role -> VALID_ARCHIVE_ACCESS_ROLE_PATTERN.matcher(role).matches()).orElse(true)) throw new IllegalArgumentException(String.format("Invalid archive access role '%s': Must match expected pattern: '%s'", archiveAccessRole.get(), VALID_ARCHIVE_ACCESS_ROLE_PATTERN.pattern())); + if (archiveAccessRole.map(role -> role.length() > 100).orElse(false)) + throw new IllegalArgumentException("Invalid archive access role too long, must be 100 or less characters"); } /** Creates a tenant with the given name, provided it passes validation. */ |