diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-08-25 13:10:46 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-08-29 12:31:03 +0200 |
commit | 2ef3e8c38eff79310176fd6717079dd5508ab2ab (patch) | |
tree | be69d40a73a809494c90f42583a340f468f429d1 /node-admin | |
parent | ee29a7aeb10021c55064f6c5268daefe23897f0d (diff) |
Consider trusted node ports in ACL rules
Diffstat (limited to 'node-admin')
8 files changed, 93 insertions, 94 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index 2908cf39fc8..87dd42d8008 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.hosted.node.admin.configserver.noderepository; import com.google.common.net.InetAddresses; -import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; import java.net.InetAddress; @@ -45,7 +44,7 @@ public class Acl { this(trustedPorts, trustedNodes, Set.of()); } - public List<String> toRules(IPVersion ipVersion, NodeType nodeType) { + public List<String> toRules(IPVersion ipVersion) { List<String> rules = new LinkedList<>(); // We reject with rules instead of using policies @@ -67,26 +66,20 @@ public class Acl { rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(trustedPorts) + " -j ACCEPT"); } - // Trust ZooKeeper from other config servers/controllers only - if (nodeType.isConfigServerLike()) { - Set<Integer> zooKeeperPorts = Set.of(2181, 2182, 2183); - List<String> clusterAddresses = getTrustedNodes(ipVersion).stream() - .filter(node -> node.type() == nodeType) - .map(Node::inetAddressString) - .sorted() - .toList(); - for (var ipAddress : clusterAddresses) { - rules.add("-A INPUT -s " + ipAddress + ipVersion.singleHostCidr() + " -p tcp -m multiport --dports " + - joinPorts(zooKeeperPorts) + " -j ACCEPT"); - } - // Reject any other connections to ZooKeeper - rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + - " -j REJECT --reject-with " + ipVersion.icmpPortUnreachable()); - } - - // Allow traffic from trusted nodes + // Allow traffic from trusted nodes, limited to specific ports, if any getTrustedNodes(ipVersion).stream() - .map(node -> "-A INPUT -s " + node.inetAddressString() + ipVersion.singleHostCidr() + " -j ACCEPT") + .map(node -> { + StringBuilder rule = new StringBuilder(); + rule.append("-A INPUT -s ") + .append(node.inetAddressString()) + .append(ipVersion.singleHostCidr()); + if (!node.ports.isEmpty()) { + rule.append(" -p tcp -m multiport --dports ") + .append(joinPorts(node.ports())); + } + rule.append(" -j ACCEPT"); + return rule.toString(); + }) .sorted() .forEach(rules::add); @@ -103,7 +96,7 @@ public class Acl { } private static String joinPorts(Collection<Integer> ports) { - return ports.stream().map(String::valueOf).sorted().collect(Collectors.joining(",")); + return ports.stream().sorted().map(String::valueOf).collect(Collectors.joining(",")); } public Set<Node> getTrustedNodes() { @@ -158,10 +151,10 @@ public class Acl { return Optional.ofNullable(set).map(Set::copyOf).orElseGet(Set::of); } - public record Node(String hostname, NodeType type, InetAddress inetAddress) { + public record Node(String hostname, InetAddress inetAddress, Set<Integer> ports) { - public Node(String hostname, NodeType type, String ipAddress) { - this(hostname, type, InetAddresses.forString(ipAddress)); + public Node(String hostname, String ipAddress, Set<Integer> ports) { + this(hostname, InetAddresses.forString(ipAddress), ports); } public String inetAddressString() { @@ -173,7 +166,7 @@ public class Acl { return "Node{" + "hostname='" + hostname + '\'' + ", inetAddress=" + inetAddress + - ", nodeType=" + type + + ", ports=" + ports + '}'; } } @@ -197,12 +190,16 @@ public class Acl { return this; } - public Builder withTrustedNode(String hostname, String ipAddress, NodeType nodeType) { - return withTrustedNode(new Node(hostname, nodeType, ipAddress)); + public Builder withTrustedNode(String hostname, String ipAddress) { + return withTrustedNode(hostname, ipAddress, Set.of()); + } + + public Builder withTrustedNode(String hostname, String ipAddress, Set<Integer> ports) { + return withTrustedNode(new Node(hostname, ipAddress, ports)); } - public Builder withTrustedNode(String hostname, InetAddress inetAddress, NodeType nodeType) { - return withTrustedNode(new Node(hostname, nodeType, inetAddress)); + public Builder withTrustedNode(String hostname, InetAddress inetAddress, Set<Integer> ports) { + return withTrustedNode(new Node(hostname, inetAddress, ports)); } public Builder withTrustedPorts(Integer... ports) { diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java index 51111a66d10..34ff4feb548 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java @@ -98,7 +98,7 @@ public class RealNodeRepository implements NodeRepository { .collect(Collectors.groupingBy( GetAclResponse.Node::getTrustedBy, Collectors.mapping( - node -> new Acl.Node(node.hostname, NodeType.valueOf(node.nodeType), node.ipAddress), + node -> new Acl.Node(node.hostname, node.ipAddress, Set.copyOf(node.ports)), Collectors.toSet()))); // Group trusted networks by container hostname that trusts them diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java index 9afee6f7463..08d145b3ac8 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java @@ -28,9 +28,9 @@ public class GetAclResponse { public GetAclResponse(@JsonProperty("trustedNodes") List<Node> trustedNodes, @JsonProperty("trustedNetworks") List<Network> trustedNetworks, @JsonProperty("trustedPorts") List<Port> trustedPorts) { - this.trustedNodes = trustedNodes == null ? List.of() : trustedNodes; - this.trustedNetworks = trustedNetworks == null ? List.of() : trustedNetworks; - this.trustedPorts = trustedPorts == null ? List.of() : trustedPorts; + this.trustedNodes = trustedNodes == null ? List.of() : List.copyOf(trustedNodes); + this.trustedNetworks = trustedNetworks == null ? List.of() : List.copyOf(trustedNetworks); + this.trustedPorts = trustedPorts == null ? List.of() : List.copyOf(trustedPorts); } @JsonIgnoreProperties(ignoreUnknown = true) @@ -45,16 +45,20 @@ public class GetAclResponse { @JsonProperty("ipAddress") public final String ipAddress; + @JsonProperty("ports") + public final List<Integer> ports; + @JsonProperty("trustedBy") public final String trustedBy; @JsonCreator public Node(@JsonProperty("hostname") String hostname, @JsonProperty("type") String nodeType, - @JsonProperty("ipAddress") String ipAddress, + @JsonProperty("ipAddress") String ipAddress, @JsonProperty("ports") List<Integer> ports, @JsonProperty("trustedBy") String trustedBy) { this.hostname = hostname; this.nodeType = nodeType; this.ipAddress = ipAddress; + this.ports = ports == null ? List.of() : List.copyOf(ports); this.trustedBy = trustedBy; } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java index 435dc9cae85..cb2134b36af 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java @@ -55,8 +55,8 @@ public class AclMaintainer { if (context.isDisabled(NodeAgentTask.AclMaintainer)) return; // Apply acl to the filter table - editFlushOnError(context, IPVersion.IPv4, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv4, context.nodeType())); - editFlushOnError(context, IPVersion.IPv6, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv6, context.nodeType())); + editFlushOnError(context, IPVersion.IPv4, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv4)); + editFlushOnError(context, IPVersion.IPv6, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv6)); ipAddresses.getAddress(context.hostname().value(), IPVersion.IPv4).ifPresent(addr -> applyRedirect(context, addr)); ipAddresses.getAddress(context.hostname().value(), IPVersion.IPv6).ifPresent(addr -> applyRedirect(context, addr)); diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java index 82dc388568b..462790b8d0f 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.maintenance.acl; -import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEdit; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEditor; @@ -23,8 +22,8 @@ class FilterTableLineEditor implements LineEditor { this.wantedRules = List.copyOf(wantedRules); } - static FilterTableLineEditor from(Acl acl, IPVersion ipVersion, NodeType nodeType) { - List<String> rules = acl.toRules(ipVersion, nodeType); + static FilterTableLineEditor from(Acl acl, IPVersion ipVersion) { + List<String> rules = acl.toRules(ipVersion); return new FilterTableLineEditor(rules); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java index c4bee8bb1dc..9fbe22482ea 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java @@ -8,6 +8,7 @@ import org.junit.jupiter.api.Test; import java.util.Arrays; import java.util.Set; import java.util.stream.Collectors; +import java.util.stream.Stream; import static org.junit.jupiter.api.Assertions.assertEquals; @@ -19,17 +20,17 @@ public class AclTest { private static final Acl aclCommon = new Acl( Set.of(1234, 453), - testNodes("192.1.2.2", "fb00::1", "fe80::2", "fe80::3"), + testNodes(Set.of(), "192.1.2.2", "fb00::1", "fe80::2", "fe80::3"), Set.of()); private static final Acl aclWithoutPorts = new Acl( Set.of(), - testNodes("192.1.2.2", "fb00::1", "fe80::2"), + testNodes(Set.of(), "192.1.2.2", "fb00::1", "fe80::2"), Set.of()); @Test void no_trusted_ports() { - String listRulesIpv4 = String.join("\n", aclWithoutPorts.toRules(IPVersion.IPv4, NodeType.tenant)); + String listRulesIpv4 = String.join("\n", aclWithoutPorts.toRules(IPVersion.IPv4)); assertEquals( "-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -44,7 +45,7 @@ public class AclTest { @Test void ipv4_rules() { - String listRulesIpv4 = String.join("\n", aclCommon.toRules(IPVersion.IPv4, NodeType.tenant)); + String listRulesIpv4 = String.join("\n", aclCommon.toRules(IPVersion.IPv4)); assertEquals( "-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -52,7 +53,7 @@ public class AclTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p icmp -j ACCEPT\n" + - "-A INPUT -p tcp -m multiport --dports 1234,453 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 453,1234 -j ACCEPT\n" + "-A INPUT -s 192.1.2.2/32 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp-port-unreachable", listRulesIpv4); @@ -60,7 +61,7 @@ public class AclTest { @Test void ipv6_rules() { - String listRulesIpv6 = String.join("\n", aclCommon.toRules(IPVersion.IPv6, NodeType.tenant)); + String listRulesIpv6 = String.join("\n", aclCommon.toRules(IPVersion.IPv6)); assertEquals( "-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -68,7 +69,7 @@ public class AclTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + - "-A INPUT -p tcp -m multiport --dports 1234,453 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 453,1234 -j ACCEPT\n" + "-A INPUT -s fb00::1/128 -j ACCEPT\n" + "-A INPUT -s fe80::2/128 -j ACCEPT\n" + "-A INPUT -s fe80::3/128 -j ACCEPT\n" + @@ -79,17 +80,17 @@ public class AclTest { void ipv6_rules_stable_order() { Acl aclCommonDifferentOrder = new Acl( Set.of(453, 1234), - testNodes("fe80::2", "192.1.2.2", "fb00::1", "fe80::3"), + testNodes(Set.of(), "fe80::2", "192.1.2.2", "fb00::1", "fe80::3"), Set.of()); for (IPVersion ipVersion : IPVersion.values()) { - assertEquals(aclCommon.toRules(ipVersion, NodeType.tenant), aclCommonDifferentOrder.toRules(ipVersion, NodeType.tenant)); + assertEquals(aclCommon.toRules(ipVersion), aclCommonDifferentOrder.toRules(ipVersion)); } } @Test void trusted_networks() { - Acl acl = new Acl(Set.of(4080), testNodes("127.0.0.1"), Set.of("10.0.0.0/24", "2001:db8::/32")); + Acl acl = new Acl(Set.of(4080), testNodes(Set.of(), "127.0.0.1"), Set.of("10.0.0.0/24", "2001:db8::/32")); assertEquals("-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -101,7 +102,7 @@ public class AclTest { "-A INPUT -s 127.0.0.1/32 -j ACCEPT\n" + "-A INPUT -s 10.0.0.0/24 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp-port-unreachable", - String.join("\n", acl.toRules(IPVersion.IPv4, NodeType.tenant))); + String.join("\n", acl.toRules(IPVersion.IPv4))); assertEquals("-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -112,12 +113,15 @@ public class AclTest { "-A INPUT -p tcp -m multiport --dports 4080 -j ACCEPT\n" + "-A INPUT -s 2001:db8::/32 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp6-port-unreachable", - String.join("\n", acl.toRules(IPVersion.IPv6, NodeType.tenant))); + String.join("\n", acl.toRules(IPVersion.IPv6))); } @Test void config_server_acl() { - Acl acl = new Acl(Set.of(22, 4443), testNodes(NodeType.config, "172.17.0.41", "172.17.0.42", "172.17.0.43"), Set.of()); + Set<Acl.Node> testNodes = Stream.concat(testNodes(NodeType.config, Set.of(), "172.17.0.41", "172.17.0.42", "172.17.0.43").stream(), + testNodes(NodeType.tenant, Set.of(19070), "172.17.0.81", "172.17.0.82", "172.17.0.83").stream()) + .collect(Collectors.toSet()); + Acl acl = new Acl(Set.of(22, 4443), testNodes, Set.of()); assertEquals(""" -P INPUT ACCEPT -P FORWARD ACCEPT @@ -126,17 +130,20 @@ public class AclTest { -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -s 172.17.0.41/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 172.17.0.42/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 172.17.0.43/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.17.0.41/32 -j ACCEPT -A INPUT -s 172.17.0.42/32 -j ACCEPT -A INPUT -s 172.17.0.43/32 -j ACCEPT + -A INPUT -s 172.17.0.81/32 -p tcp -m multiport --dports 19070 -j ACCEPT + -A INPUT -s 172.17.0.82/32 -p tcp -m multiport --dports 19070 -j ACCEPT + -A INPUT -s 172.17.0.83/32 -p tcp -m multiport --dports 19070 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable""", - String.join("\n", acl.toRules(IPVersion.IPv4, NodeType.config))); + String.join("\n", acl.toRules(IPVersion.IPv4))); + + Set<Acl.Node> testNodes2 = Stream.concat(testNodes(NodeType.config, Set.of(), "2001:db8::41", "2001:db8::42", "2001:db8::43").stream(), + testNodes(NodeType.tenant, Set.of(19070), "2001:db8::81", "2001:db8::82", "2001:db8::83").stream()) + .collect(Collectors.toSet()); + Acl acl2 = new Acl(Set.of(22, 4443), testNodes2, Set.of()); - Acl acl2 = new Acl(Set.of(22, 4443), testNodes(NodeType.config, "2001:db8::41", "2001:db8::42", "2001:db8::43"), Set.of()); assertEquals(""" -P INPUT ACCEPT -P FORWARD ACCEPT @@ -145,24 +152,23 @@ public class AclTest { -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -s 2001:db8::41/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 2001:db8::42/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 2001:db8::43/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp6-port-unreachable -A INPUT -s 2001:db8::41/128 -j ACCEPT -A INPUT -s 2001:db8::42/128 -j ACCEPT -A INPUT -s 2001:db8::43/128 -j ACCEPT + -A INPUT -s 2001:db8::81/128 -p tcp -m multiport --dports 19070 -j ACCEPT + -A INPUT -s 2001:db8::82/128 -p tcp -m multiport --dports 19070 -j ACCEPT + -A INPUT -s 2001:db8::83/128 -p tcp -m multiport --dports 19070 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-port-unreachable""", - String.join("\n", acl2.toRules(IPVersion.IPv6, NodeType.config))); + String.join("\n", acl2.toRules(IPVersion.IPv6))); } - private static Set<Acl.Node> testNodes(String... address) { - return testNodes(NodeType.tenant, address); + private static Set<Acl.Node> testNodes(Set<Integer> ports, String... address) { + return testNodes(NodeType.tenant, ports, address); } - private static Set<Acl.Node> testNodes(NodeType nodeType, String... address) { + private static Set<Acl.Node> testNodes(NodeType nodeType, Set<Integer> ports, String... address) { return Arrays.stream(address) - .map(addr -> new Acl.Node("hostname", nodeType, addr)) + .map(addr -> new Acl.Node("hostname", addr, ports)) .collect(Collectors.toUnmodifiableSet()); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 9d5683c9856..827c6ebb6ec 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -48,10 +48,10 @@ public class AclMaintainerTest { @Test void configures_full_container_acl_from_empty() { Acl acl = new Acl.Builder().withTrustedPorts(22, 4443) - .withTrustedNode("hostname1", "3001::abcd", NodeType.tenant) - .withTrustedNode("hostname2", "3001::1234", NodeType.tenant) - .withTrustedNode("hostname1", "192.168.0.5", NodeType.tenant) - .withTrustedNode("hostname4", "172.16.5.234", NodeType.tenant).build(); + .withTrustedNode("hostname1", "3001::abcd") + .withTrustedNode("hostname2", "3001::1234") + .withTrustedNode("hostname1", "192.168.0.5") + .withTrustedNode("hostname4", "172.16.5.234").build(); NodeAgentContext context = contextGenerator.apply(acl); ipAddresses.addAddress(context.hostname().value(), "2001::1"); @@ -163,7 +163,7 @@ public class AclMaintainerTest { @Test void only_configure_iptables_for_ipversion_that_differs() { - Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd", NodeType.tenant).build(); + Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd").build(); NodeAgentContext context = contextGenerator.apply(acl); ipAddresses.addAddress(context.hostname().value(), "2001::1"); @@ -209,7 +209,7 @@ public class AclMaintainerTest { @Test void rollback_is_attempted_when_applying_acl_fail() { - Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd", NodeType.tenant).build(); + Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd").build(); NodeAgentContext context = contextGenerator.apply(acl); ipAddresses.addAddress(context.hostname().value(), "2001::1"); @@ -248,12 +248,12 @@ public class AclMaintainerTest { @Test public void config_server_acl() { Acl acl = new Acl.Builder().withTrustedPorts(22, 4443) - .withTrustedNode("cfg1", "2001:db8::1", NodeType.config) - .withTrustedNode("cfg2", "2001:db8::2", NodeType.config) - .withTrustedNode("cfg3", "2001:db8::3", NodeType.config) - .withTrustedNode("cfg1", "172.17.0.41", NodeType.config) - .withTrustedNode("cfg2", "172.17.0.42", NodeType.config) - .withTrustedNode("cfg3", "172.17.0.43", NodeType.config) + .withTrustedNode("cfg1", "2001:db8::1") + .withTrustedNode("cfg2", "2001:db8::2") + .withTrustedNode("cfg3", "2001:db8::3") + .withTrustedNode("cfg1", "172.17.0.41") + .withTrustedNode("cfg2", "172.17.0.42") + .withTrustedNode("cfg3", "172.17.0.43") .build(); NodeAgentContext context = NodeAgentContextImpl.builder("cfg3.example.com") .fileSystem(fileSystem) @@ -287,10 +287,6 @@ public class AclMaintainerTest { -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -s 172.17.0.41/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 172.17.0.42/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 172.17.0.43/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.17.0.41/32 -j ACCEPT -A INPUT -s 172.17.0.42/32 -j ACCEPT -A INPUT -s 172.17.0.43/32 -j ACCEPT @@ -307,10 +303,6 @@ public class AclMaintainerTest { -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -s 2001:db8::1/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 2001:db8::2/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -s 2001:db8::3/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp6-port-unreachable -A INPUT -s 2001:db8::1/128 -j ACCEPT -A INPUT -s 2001:db8::2/128 -j ACCEPT -A INPUT -s 2001:db8::3/128 -j ACCEPT diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java index 39d1a46f198..9263a1a8dd1 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java @@ -19,7 +19,7 @@ public class FilterTableLineEditorTest { @Test void filter_set_wanted_rules() { - Acl acl = new Acl.Builder().withTrustedPorts(22).withTrustedNode("hostname", "3001::1", NodeType.tenant).build(); + Acl acl = new Acl.Builder().withTrustedPorts(22).withTrustedNode("hostname", "3001::1").build(); assertFilterTableLineEditorResult( acl, IPVersion.IPv6, @@ -60,7 +60,7 @@ public class FilterTableLineEditorTest { private static void assertFilterTableLineEditorResult( Acl acl, IPVersion ipVersion, String currentFilterTable, String expectedRestoreFileContent) { - FilterTableLineEditor filterLineEditor = FilterTableLineEditor.from(acl, ipVersion, NodeType.tenant); + FilterTableLineEditor filterLineEditor = FilterTableLineEditor.from(acl, ipVersion); Editor editor = new Editor( "nat-table", () -> List.of(currentFilterTable.split("\n")), @@ -72,16 +72,17 @@ public class FilterTableLineEditorTest { private static void assertFilterTableDiff(List<Integer> currentIpSuffix, List<Integer> wantedIpSuffix, String diff) { Acl.Builder currentAcl = new Acl.Builder(); NodeType nodeType = NodeType.tenant; - currentIpSuffix.forEach(i -> currentAcl.withTrustedNode("host" + i, "2001::" + i, nodeType)); + currentIpSuffix.forEach(i -> currentAcl.withTrustedNode("host" + i, "2001::" + i)); List<String> currentTable = new ArrayList<>(); Acl.Builder wantedAcl = new Acl.Builder(); - wantedIpSuffix.forEach(i -> wantedAcl.withTrustedNode("host" + i, "2001::" + i, nodeType)); + wantedIpSuffix.forEach(i -> wantedAcl.withTrustedNode("host" + i, "2001::" + i)); - new Editor("table", List::of, currentTable::addAll, FilterTableLineEditor.from(currentAcl.build(), IPVersion.IPv6, nodeType)) + new Editor("table", List::of, currentTable::addAll, FilterTableLineEditor.from(currentAcl.build(), IPVersion.IPv6)) .edit(log -> {}); - new Editor("table", () -> currentTable, result -> {}, FilterTableLineEditor.from(wantedAcl.build(), IPVersion.IPv6, nodeType)) + new Editor("table", () -> currentTable, result -> {}, FilterTableLineEditor.from(wantedAcl.build(), IPVersion.IPv6)) .edit(log -> assertEquals(diff, log)); } + } |