diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-08-26 09:24:01 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-08-26 09:24:01 +0200 |
commit | d3c6baa62b07bbf363ffd54149f1cfaf7cbed058 (patch) | |
tree | 0e21fae27f1d3670c95e813e986e2c7f506009f0 /node-repository/src/main | |
parent | 2a536bc0eb5dab42bb8ac1acb8de0c4dfc8f70a1 (diff) |
Limit trusted node types and ports on config server
Diffstat (limited to 'node-repository/src/main')
3 files changed, 30 insertions, 7 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index 7f7b1cd1035..e61f9b79d75 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -28,6 +28,8 @@ public record NodeAcl(Node node, Set<String> trustedNetworks, Set<Integer> trustedPorts) { + private static final Set<Integer> RPC_PORTS = Set.of(19070); + public NodeAcl { Objects.requireNonNull(node, "node must be non-null"); ImmutableSet.copyOf(Objects.requireNonNull(trustedNodes, "trustedNodes must be non-null")); @@ -81,9 +83,12 @@ public record NodeAcl(Node node, } case config -> { // Config servers trust: - // - all nodes + // - port 19070 (RPC) from all tenant nodes (and their hosts, in case traffic is NAT-ed via parent) + // - port 19070 (RPC) from all proxy nodes (and their hosts, in case traffic is NAT-ed via parent) // - port 4443 from the world - trustedNodes.addAll(TrustedNode.of(allNodes)); + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.host, NodeType.tenant, + NodeType.proxyhost, NodeType.proxy), + RPC_PORTS)); trustedPorts.add(4443); } case proxy -> { @@ -107,19 +112,28 @@ public record NodeAcl(Node node, return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts); } - public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses) { + public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses, Set<Integer> ports) { - public static TrustedNode of(Node node) { - return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary()); + /** Trust given ports from node */ + public static TrustedNode of(Node node, Set<Integer> ports) { + return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary(), ports); + } + /** Trust all ports from given node */ + public static TrustedNode of(Node node) { + return of(node, Set.of()); } - public static List<TrustedNode> of(Iterable<Node> nodes) { + public static List<TrustedNode> of(Iterable<Node> nodes, Set<Integer> ports) { return StreamSupport.stream(nodes.spliterator(), false) - .map(TrustedNode::of) + .map(node -> TrustedNode.of(node, ports)) .toList(); } + public static List<TrustedNode> of(Iterable<Node> nodes) { + return of(nodes, Set.of()); + } + } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java index af09278623b..45987338dae 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java @@ -52,6 +52,10 @@ public class NodeAclResponse extends SlimeJsonResponse { object.setString("hostname", node.hostname()); object.setString("type", node.type().name()); object.setString("ipAddress", ipAddress); + if (!node.ports().isEmpty()) { + Cursor portsArray = object.setArray("ports"); + node.ports().stream().sorted().forEach(portsArray::addLong); + } object.setString("trustedBy", nodeAcl.node().hostname()); })); } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java index 78c89118a78..e09c8a55b22 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java @@ -159,6 +159,11 @@ public class MockNodeRepository extends NodeRepository { nodes().fail("dockerhost6.yahoo.com", Agent.operator, getClass().getSimpleName()); nodes().removeRecursively("dockerhost6.yahoo.com"); + // Activate config servers + ApplicationId cfgApp = ApplicationId.from("cfg", "cfg", "cfg"); + ClusterSpec cfgCluster = ClusterSpec.request(ClusterSpec.Type.container, ClusterSpec.Id.from("configservers")).vespaVersion("6.42").build(); + activate(provisioner.prepare(cfgApp, cfgCluster, Capacity.fromRequiredNodeType(NodeType.config), null), cfgApp, provisioner); + ApplicationId zoneApp = ApplicationId.from(TenantName.from("zoneapp"), ApplicationName.from("zoneapp"), InstanceName.from("zoneapp")); ClusterSpec zoneCluster = ClusterSpec.request(ClusterSpec.Type.container, ClusterSpec.Id.from("node-admin")).vespaVersion("6.42").build(); activate(provisioner.prepare(zoneApp, zoneCluster, Capacity.fromRequiredNodeType(NodeType.host), null), zoneApp, provisioner); |