aboutsummaryrefslogtreecommitdiffstats
path: root/node-repository/src/main
diff options
context:
space:
mode:
authorMartin Polden <mpolden@mpolden.no>2022-08-26 09:24:01 +0200
committerMartin Polden <mpolden@mpolden.no>2022-08-26 09:24:01 +0200
commitd3c6baa62b07bbf363ffd54149f1cfaf7cbed058 (patch)
tree0e21fae27f1d3670c95e813e986e2c7f506009f0 /node-repository/src/main
parent2a536bc0eb5dab42bb8ac1acb8de0c4dfc8f70a1 (diff)
Limit trusted node types and ports on config server
Diffstat (limited to 'node-repository/src/main')
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java28
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java4
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java5
3 files changed, 30 insertions, 7 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index 7f7b1cd1035..e61f9b79d75 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -28,6 +28,8 @@ public record NodeAcl(Node node,
Set<String> trustedNetworks,
Set<Integer> trustedPorts) {
+ private static final Set<Integer> RPC_PORTS = Set.of(19070);
+
public NodeAcl {
Objects.requireNonNull(node, "node must be non-null");
ImmutableSet.copyOf(Objects.requireNonNull(trustedNodes, "trustedNodes must be non-null"));
@@ -81,9 +83,12 @@ public record NodeAcl(Node node,
}
case config -> {
// Config servers trust:
- // - all nodes
+ // - port 19070 (RPC) from all tenant nodes (and their hosts, in case traffic is NAT-ed via parent)
+ // - port 19070 (RPC) from all proxy nodes (and their hosts, in case traffic is NAT-ed via parent)
// - port 4443 from the world
- trustedNodes.addAll(TrustedNode.of(allNodes));
+ trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.host, NodeType.tenant,
+ NodeType.proxyhost, NodeType.proxy),
+ RPC_PORTS));
trustedPorts.add(4443);
}
case proxy -> {
@@ -107,19 +112,28 @@ public record NodeAcl(Node node,
return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts);
}
- public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses) {
+ public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses, Set<Integer> ports) {
- public static TrustedNode of(Node node) {
- return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary());
+ /** Trust given ports from node */
+ public static TrustedNode of(Node node, Set<Integer> ports) {
+ return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary(), ports);
+ }
+ /** Trust all ports from given node */
+ public static TrustedNode of(Node node) {
+ return of(node, Set.of());
}
- public static List<TrustedNode> of(Iterable<Node> nodes) {
+ public static List<TrustedNode> of(Iterable<Node> nodes, Set<Integer> ports) {
return StreamSupport.stream(nodes.spliterator(), false)
- .map(TrustedNode::of)
+ .map(node -> TrustedNode.of(node, ports))
.toList();
}
+ public static List<TrustedNode> of(Iterable<Node> nodes) {
+ return of(nodes, Set.of());
+ }
+
}
}
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
index af09278623b..45987338dae 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodeAclResponse.java
@@ -52,6 +52,10 @@ public class NodeAclResponse extends SlimeJsonResponse {
object.setString("hostname", node.hostname());
object.setString("type", node.type().name());
object.setString("ipAddress", ipAddress);
+ if (!node.ports().isEmpty()) {
+ Cursor portsArray = object.setArray("ports");
+ node.ports().stream().sorted().forEach(portsArray::addLong);
+ }
object.setString("trustedBy", nodeAcl.node().hostname());
}));
}
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java
index 78c89118a78..e09c8a55b22 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/testutils/MockNodeRepository.java
@@ -159,6 +159,11 @@ public class MockNodeRepository extends NodeRepository {
nodes().fail("dockerhost6.yahoo.com", Agent.operator, getClass().getSimpleName());
nodes().removeRecursively("dockerhost6.yahoo.com");
+ // Activate config servers
+ ApplicationId cfgApp = ApplicationId.from("cfg", "cfg", "cfg");
+ ClusterSpec cfgCluster = ClusterSpec.request(ClusterSpec.Type.container, ClusterSpec.Id.from("configservers")).vespaVersion("6.42").build();
+ activate(provisioner.prepare(cfgApp, cfgCluster, Capacity.fromRequiredNodeType(NodeType.config), null), cfgApp, provisioner);
+
ApplicationId zoneApp = ApplicationId.from(TenantName.from("zoneapp"), ApplicationName.from("zoneapp"), InstanceName.from("zoneapp"));
ClusterSpec zoneCluster = ClusterSpec.request(ClusterSpec.Type.container, ClusterSpec.Id.from("node-admin")).vespaVersion("6.42").build();
activate(provisioner.prepare(zoneApp, zoneCluster, Capacity.fromRequiredNodeType(NodeType.host), null), zoneApp, provisioner);