diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-08-25 10:52:21 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-08-25 10:55:33 +0200 |
commit | f506a54040a18c0e74092dd701b2165f845e7711 (patch) | |
tree | d303215aa147666e21a4b01896061e8d9bb2b9d4 /node-repository/src/main | |
parent | 34d28df24200715d9a436267a1b7eb1bad0fab61 (diff) |
Extract TrustedNode
Diffstat (limited to 'node-repository/src/main')
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java | 64 | ||||
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java | 2 |
2 files changed, 38 insertions, 28 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index 26b57677fcf..7f7b1cd1035 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -11,10 +11,12 @@ import com.yahoo.vespa.hosted.provision.lb.LoadBalancers; import java.util.Comparator; import java.util.LinkedHashSet; +import java.util.List; import java.util.Objects; import java.util.Optional; import java.util.Set; import java.util.TreeSet; +import java.util.stream.StreamSupport; /** * A node ACL declares which nodes, networks and ports a node should trust. @@ -22,7 +24,7 @@ import java.util.TreeSet; * @author mpolden */ public record NodeAcl(Node node, - Set<Node> trustedNodes, + Set<TrustedNode> trustedNodes, Set<String> trustedNetworks, Set<Integer> trustedPorts) { @@ -34,7 +36,7 @@ public record NodeAcl(Node node, } public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers) { - Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname)); + Set<TrustedNode> trustedNodes = new TreeSet<>(Comparator.comparing(TrustedNode::hostname)); Set<Integer> trustedPorts = new LinkedHashSet<>(); Set<String> trustedNetworks = new LinkedHashSet<>(); @@ -47,9 +49,9 @@ public record NodeAcl(Node node, // - nodes in same application // - load balancers allocated to application trustedPorts.add(22); - allNodes.parentOf(node).ifPresent(trustedNodes::add); + allNodes.parentOf(node).map(TrustedNode::of).ifPresent(trustedNodes::add); node.allocation().ifPresent(allocation -> { - trustedNodes.addAll(allNodes.owner(allocation.owner()).asList()); + trustedNodes.addAll(TrustedNode.of(allNodes.owner(allocation.owner()))); loadBalancers.list(allocation.owner()).asList() .stream() .map(LoadBalancer::instance) @@ -59,57 +61,65 @@ public record NodeAcl(Node node, }); switch (node.type()) { - case tenant: + case tenant -> { // Tenant nodes in other states than ready, trust: // - config servers // - proxy nodes // - parents of the nodes in the same application: If some nodes are on a different IP version // or only a subset of them are dual-stacked, the communication between the nodes may be NAT-ed // via parent's IP address - trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList()); - trustedNodes.addAll(allNodes.nodeType(NodeType.proxy).asList()); - node.allocation().ifPresent(allocation -> - trustedNodes.addAll(allNodes.parentsOf(allNodes.owner(allocation.owner())).asList())); - + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config))); + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy))); + node.allocation().ifPresent(allocation -> trustedNodes.addAll(TrustedNode.of(allNodes.parentsOf(allNodes.owner(allocation.owner()))))); if (node.state() == Node.State.ready) { // Tenant nodes in state ready, trust: // - All tenant nodes in zone. When a ready node is allocated to an application there's a brief // window where current ACLs have not yet been applied on the node. To avoid service disruption // during this window, ready tenant nodes trust all other tenant nodes - trustedNodes.addAll(allNodes.nodeType(NodeType.tenant).asList()); + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant))); } - break; - - case config: + } + case config -> { // Config servers trust: // - all nodes // - port 4443 from the world - trustedNodes.addAll(allNodes.asList()); + trustedNodes.addAll(TrustedNode.of(allNodes)); trustedPorts.add(4443); - break; - - case proxy: + } + case proxy -> { // Proxy nodes trust: // - config servers // - all connections from the world on 443 (production traffic) and 4443 (health checks) - trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList()); + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config))); trustedPorts.add(443); trustedPorts.add(4443); - break; - - case controller: + } + case controller -> { // Controllers: // - port 4443 (HTTPS + Athenz) from the world // - port 443 (HTTPS + Okta) from the world trustedPorts.add(4443); trustedPorts.add(443); - break; - - default: - throw new IllegalArgumentException("Don't know how to create ACL for " + node + - " of type " + node.type()); + } + default -> throw new IllegalArgumentException("Don't know how to create ACL for " + node + + " of type " + node.type()); } return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts); } + public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses) { + + public static TrustedNode of(Node node) { + return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary()); + + } + + public static List<TrustedNode> of(Iterable<Node> nodes) { + return StreamSupport.stream(nodes.spliterator(), false) + .map(TrustedNode::of) + .toList(); + } + + } + } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java index b03d37b4d46..af09278623b 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java @@ -47,7 +47,7 @@ public class NodeAclResponse extends SlimeJsonResponse { } private void toSlime(NodeAcl nodeAcl, Cursor array) { - nodeAcl.trustedNodes().forEach(node -> node.ipConfig().primary().forEach(ipAddress -> { + nodeAcl.trustedNodes().forEach(node -> node.ipAddresses().forEach(ipAddress -> { Cursor object = array.addObject(); object.setString("hostname", node.hostname()); object.setString("type", node.type().name()); |