diff options
author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-01-16 18:46:54 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-16 18:46:54 +0100 |
commit | 09f909cb7f2c8468236e1403a094696801ea7518 (patch) | |
tree | 8224dad91c21ba7b897e5936eb3a4a8359d0a48f /node-admin/src/main/java/com | |
parent | c18caefd28001e38c49b3ba2f1cbd1ca030062c5 (diff) | |
parent | 2dd2e2b0be165492d1609f3a84eab29b3f1d2324 (diff) |
Merge pull request #25590 from vespa-engine/revert-25588-revert-25586-andreer/wg-wip-3v8.111.27
Reapply "open wireguard port for config servers"
Diffstat (limited to 'node-admin/src/main/java/com')
4 files changed, 41 insertions, 12 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index 87dd42d8008..311a95e1a12 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -23,25 +23,28 @@ import java.util.stream.Collectors; */ public class Acl { - public static final Acl EMPTY = new Acl(Set.of(), Set.of(), Set.of()); + public static final Acl EMPTY = new Acl(Set.of(), Set.of(), Set.of(), Set.of()); private final Set<Node> trustedNodes; private final Set<Integer> trustedPorts; + private final Set<Integer> trustedUdpPorts; private final Set<String> trustedNetworks; /** - * @param trustedPorts Ports to trust + * @param trustedPorts TCP Ports to trust + * @param trustedUdpPorts UDP ports to trust * @param trustedNodes Nodes to trust * @param trustedNetworks Networks (in CIDR notation) to trust */ - public Acl(Set<Integer> trustedPorts, Set<Node> trustedNodes, Set<String> trustedNetworks) { + public Acl(Set<Integer> trustedPorts, Set<Integer> trustedUdpPorts, Set<Node> trustedNodes, Set<String> trustedNetworks) { this.trustedNodes = copyOfNullable(trustedNodes); this.trustedPorts = copyOfNullable(trustedPorts); + this.trustedUdpPorts = copyOfNullable(trustedUdpPorts); this.trustedNetworks = copyOfNullable(trustedNetworks); } public Acl(Set<Integer> trustedPorts, Set<Node> trustedNodes) { - this(trustedPorts, trustedNodes, Set.of()); + this(trustedPorts, Set.of(), trustedNodes, Set.of()); } public List<String> toRules(IPVersion ipVersion) { @@ -66,6 +69,11 @@ public class Acl { rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(trustedPorts) + " -j ACCEPT"); } + // Allow trusted UDP ports if any + if (!trustedUdpPorts.isEmpty()) { + rules.add("-A INPUT -p udp -m multiport --dports " + joinPorts(trustedUdpPorts) + " -j ACCEPT"); + } + // Allow traffic from trusted nodes, limited to specific ports, if any getTrustedNodes(ipVersion).stream() .map(node -> { @@ -113,8 +121,8 @@ public class Acl { return trustedPorts; } - public Set<Integer> getTrustedPorts(IPVersion ipVersion) { - return trustedPorts; + public Set<Integer> getTrustedUdpPorts() { + return trustedUdpPorts; } @Override @@ -124,12 +132,13 @@ public class Acl { Acl acl = (Acl) o; return trustedNodes.equals(acl.trustedNodes) && trustedPorts.equals(acl.trustedPorts) && + trustedUdpPorts.equals(acl.trustedUdpPorts) && trustedNetworks.equals(acl.trustedNetworks); } @Override public int hashCode() { - return Objects.hash(trustedNodes, trustedPorts, trustedNetworks); + return Objects.hash(trustedNodes, trustedPorts, trustedUdpPorts, trustedNetworks); } @Override @@ -137,6 +146,7 @@ public class Acl { return "Acl{" + "trustedNodes=" + trustedNodes + ", trustedPorts=" + trustedPorts + + ", trustedUdpPorts=" + trustedUdpPorts + ", trustedNetworks=" + trustedNetworks + '}'; } @@ -175,6 +185,7 @@ public class Acl { private final Set<Node> trustedNodes = new HashSet<>(); private final Set<Integer> trustedPorts = new HashSet<>(); + private final Set<Integer> trustedUdpPorts = new HashSet<>(); private final Set<String> trustedNetworks = new HashSet<>(); public Builder() { } @@ -207,13 +218,18 @@ public class Acl { return this; } + public Builder withTrustedUdpPorts(Integer... ports) { + trustedUdpPorts.addAll(List.of(ports)); + return this; + } + public Builder withTrustedNetworks(Set<String> networks) { trustedNetworks.addAll(networks); return this; } public Acl build() { - return new Acl(trustedPorts, trustedNodes, trustedNetworks); + return new Acl(trustedPorts, trustedUdpPorts, trustedNodes, trustedNetworks); } } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java index 36a4703a415..c15998a48df 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java @@ -91,6 +91,12 @@ public class RealNodeRepository implements NodeRepository { GetAclResponse.Port::getTrustedBy, Collectors.mapping(port -> port.port, Collectors.toSet()))); + // Group UDP ports by container hostname that trusts them + Map<String, Set<Integer>> trustedUdpPorts = response.trustedUdpPorts.stream() + .collect(Collectors.groupingBy( + GetAclResponse.Port::getTrustedBy, + Collectors.mapping(port -> port.port, Collectors.toSet()))); + // Group node ip-addresses by container hostname that trusts them Map<String, Set<Acl.Node>> trustedNodes = response.trustedNodes.stream() .collect(Collectors.groupingBy( @@ -106,12 +112,14 @@ public class RealNodeRepository implements NodeRepository { // For each hostname create an ACL - return Stream.of(trustedNodes.keySet(), trustedPorts.keySet(), trustedNetworks.keySet()) + return Stream.of(trustedNodes.keySet(), trustedPorts.keySet(), trustedUdpPorts.keySet(), trustedNetworks.keySet()) .flatMap(Set::stream) .distinct() .collect(Collectors.toMap( Function.identity(), - hostname -> new Acl(trustedPorts.get(hostname), trustedNodes.get(hostname), + hostname -> new Acl(trustedPorts.get(hostname), + trustedUdpPorts.get(hostname), + trustedNodes.get(hostname), trustedNetworks.get(hostname)))); } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java index 08d145b3ac8..6e12d55888f 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java @@ -24,13 +24,18 @@ public class GetAclResponse { @JsonProperty("trustedPorts") public final List<Port> trustedPorts; + @JsonProperty("trustedUdpPorts") + public final List<Port> trustedUdpPorts; + @JsonCreator public GetAclResponse(@JsonProperty("trustedNodes") List<Node> trustedNodes, @JsonProperty("trustedNetworks") List<Network> trustedNetworks, - @JsonProperty("trustedPorts") List<Port> trustedPorts) { + @JsonProperty("trustedPorts") List<Port> trustedPorts, + @JsonProperty("trustedUdpPorts") List<Port> trustedUdpPorts) { this.trustedNodes = trustedNodes == null ? List.of() : List.copyOf(trustedNodes); this.trustedNetworks = trustedNetworks == null ? List.of() : List.copyOf(trustedNetworks); this.trustedPorts = trustedPorts == null ? List.of() : List.copyOf(trustedPorts); + this.trustedUdpPorts = trustedUdpPorts == null ? List.of() : List.copyOf(trustedUdpPorts); } @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java index 462790b8d0f..d687f959d3b 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java @@ -9,7 +9,7 @@ import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; import java.util.List; /** - * An editor that assumes all rules in the filter table are exactly as the the wanted rules + * An editor that assumes all rules in the filter table are exactly as the wanted rules * * @author smorgrav */ |