diff options
author | Håkon Hallingstad <hakon@yahooinc.com> | 2023-07-05 14:57:39 +0200 |
---|---|---|
committer | Håkon Hallingstad <hakon@yahooinc.com> | 2023-07-05 14:57:39 +0200 |
commit | 808de0182e63da7f740fc9b5884bafe5cddcd5ae (patch) | |
tree | 8fd35c8547e63a5b92b08ab884180e1a41e69aa1 /node-repository | |
parent | 9ee3d3b3c54fd3340ef508e2e78e6cab22a22374 (diff) |
Trust address of parent host only if NAT is possible
Diffstat (limited to 'node-repository')
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index 9c45a8ede1c..155b6e8b740 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -74,12 +74,24 @@ public record NodeAcl(Node node, // Tenant nodes in other states than ready, trust: // - config servers // - proxy nodes + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config), node.cloudAccount(), simplerAcl)); + trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), node.cloudAccount(), simplerAcl)); // - parents of the nodes in the same application: If some nodes are on a different IP version // or only a subset of them are dual-stacked, the communication between the nodes may be NAT-ed // via parent's IP address - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config), node.cloudAccount(), simplerAcl)); - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), node.cloudAccount(), simplerAcl)); - node.allocation().ifPresent(allocation -> trustedNodes.addAll(TrustedNode.of(allNodes.parentsOf(allNodes.owner(allocation.owner())), node.cloudAccount(), simplerAcl))); + boolean hasIp4 = node.ipConfig().primary().stream().anyMatch(IP::isV4); + boolean hasIp6 = node.ipConfig().primary().stream().anyMatch(IP::isV6); + node.allocation().ifPresent(allocation -> allNodes + .owner(allocation.owner()) + .stream() + .filter(n -> !n.hostname().equals(node.hostname())) + .forEach(otherNode -> { + if (hasIp4 && otherNode.ipConfig().primary().stream().noneMatch(IP::isV4) || + hasIp6 && otherNode.ipConfig().primary().stream().noneMatch(IP::isV6)) { + // The parent host is assumed to have the required IPv4/IPv6 address for NAT + trustedNodes.add(TrustedNode.of(allNodes.parentOf(otherNode).orElseThrow(), node.cloudAccount(), simplerAcl)); + } + })); } case config -> { // Config servers trust: @@ -121,28 +133,28 @@ public record NodeAcl(Node node, public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses, Set<Integer> ports) { /** Trust given ports from node, and primary IP addresses shared with given cloud account */ - public static TrustedNode of(Node node, Set<Integer> ports, CloudAccount cloudAccount, boolean simplerAcl) { + public static TrustedNode of(Node node, Set<Integer> ports, CloudAccount sourceCloudAccount, boolean simplerAcl) { Set<String> ipAddresses = node.ipConfig() .primary() .stream() - .filter(ip -> !simplerAcl || IP.inSharedIpSpace(ip, node.cloudAccount(), cloudAccount)) + .filter(ip -> !simplerAcl || IP.inSharedIpSpace(ip, sourceCloudAccount, node.cloudAccount())) .collect(Collectors.toSet()); return new TrustedNode(node.hostname(), node.type(), ipAddresses, ports); } - /** Trust all ports from given node */ - public static TrustedNode of(Node node, CloudAccount cloudAccount, boolean simplerAcl) { - return of(node, Set.of(), cloudAccount, simplerAcl); + /** The node in the given sourceCloudAccount should trust all ports from given node */ + public static TrustedNode of(Node node, CloudAccount sourceCloudAccount, boolean simplerAcl) { + return of(node, Set.of(), sourceCloudAccount, simplerAcl); } - public static List<TrustedNode> of(Iterable<Node> nodes, Set<Integer> ports, CloudAccount cloudAccount, boolean simplerAcl) { + public static List<TrustedNode> of(Iterable<Node> nodes, Set<Integer> ports, CloudAccount sourceCloudAccount, boolean simplerAcl) { return StreamSupport.stream(nodes.spliterator(), false) - .map(node -> TrustedNode.of(node, ports, cloudAccount, simplerAcl)) + .map(node -> TrustedNode.of(node, ports, sourceCloudAccount, simplerAcl)) .toList(); } - public static List<TrustedNode> of(Iterable<Node> nodes, CloudAccount cloudAccount, boolean simplerAcl) { - return of(nodes, Set.of(), cloudAccount, simplerAcl); + public static List<TrustedNode> of(Iterable<Node> nodes, CloudAccount sourceCloudAccount, boolean simplerAcl) { + return of(nodes, Set.of(), sourceCloudAccount, simplerAcl); } } |