diff options
author | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-03-11 14:30:31 +0100 |
---|---|---|
committer | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-03-11 14:30:31 +0100 |
commit | 0b672c7e9474a5048492a7a5f27423df96cc27ec (patch) | |
tree | e8635e0602802d6993352ce09fe7247f0429e695 /node-repository | |
parent | d3a6934b2fae1c7f04d7bd13e9c6a18b31098ede (diff) |
Remove whitelisted hostnames
Diffstat (limited to 'node-repository')
4 files changed, 28 insertions, 70 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index 1b0bbffe507..28ead318cc0 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -3,11 +3,9 @@ package com.yahoo.vespa.hosted.provision.restapi.v2.filter; import com.google.inject.Inject; import com.yahoo.config.provision.Zone; -import com.yahoo.config.provisioning.NodeRepositoryConfig; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.net.HostName; import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse; import com.yahoo.yolean.chain.After; @@ -17,8 +15,6 @@ import java.util.Optional; import java.util.function.BiConsumer; import java.util.function.BiPredicate; import java.util.logging.Logger; -import java.util.stream.Collectors; -import java.util.stream.Stream; /** * Authorization filter for all paths in config server. It assumes that {@link NodeIdentifierFilter} is part of filter chain. @@ -35,23 +31,9 @@ public class AuthorizationFilter implements SecurityRequestFilter { private final BiConsumer<ErrorResponse, ResponseHandler> rejectAction; @Inject - public AuthorizationFilter(Zone zone, NodeRepository nodeRepository, NodeRepositoryConfig nodeRepositoryConfig) { - this( - new Authorizer( - zone.system(), - nodeRepository, - Stream.concat( - Stream.of(HostName.getLocalhost()), - Stream.of(nodeRepositoryConfig.hostnameWhitelist().split(",")) - ).filter(hostname -> !hostname.isEmpty()).collect(Collectors.toSet())), - AuthorizationFilter::logAndReject - ); - } - - AuthorizationFilter(BiPredicate<NodePrincipal, URI> authorizer, - BiConsumer<ErrorResponse, ResponseHandler> rejectAction) { - this.authorizer = authorizer; - this.rejectAction = rejectAction; + public AuthorizationFilter(Zone zone, NodeRepository nodeRepository) { + this.authorizer = new Authorizer(zone.system(), nodeRepository); + this.rejectAction = AuthorizationFilter::logAndReject; } @Override diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java index 6225a8a4fc4..afcde0949e3 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java @@ -31,7 +31,6 @@ import java.util.stream.Collectors; */ public class Authorizer implements BiPredicate<NodePrincipal, URI> { private final NodeRepository nodeRepository; - private final Set<String> whitelistedHostnames; private final AthenzIdentity controllerIdentity; private final AthenzIdentity configServerIdentity = new AthenzService("vespa.vespa", "configserver"); private final AthenzIdentity proxyIdentity = new AthenzService("vespa.vespa", "proxy"); @@ -39,10 +38,8 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { private final Set<AthenzIdentity> trustedIdentities; private final Set<AthenzIdentity> hostAdminIdentities; - // TODO Remove whitelisted hostnames as these nodes should be included through 'trustedIdentities' - public Authorizer(SystemName system, NodeRepository nodeRepository, Set<String> whitelistedHostnames) { + public Authorizer(SystemName system, NodeRepository nodeRepository) { this.nodeRepository = nodeRepository; - this.whitelistedHostnames = whitelistedHostnames; controllerIdentity = system == SystemName.main ? new AthenzService("vespa.vespa", "hosting") : new AthenzService("vespa.vespa.cd", "hosting"); @@ -85,11 +82,6 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { if (canAccessAny(nodeTypesFor(uri), principal, this::isNodeType)) { return true; } - - // The host itself can access all resources - if (whitelistedHostnames.contains(hostname)) { - return true; - } } return false; } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java index b5d2861e5a0..2969b608d3a 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilterTest.java @@ -6,7 +6,6 @@ import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.RegionName; import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.Zone; -import com.yahoo.config.provisioning.NodeRepositoryConfig; import com.yahoo.vespa.curator.mock.MockCurator; import com.yahoo.vespa.hosted.provision.restapi.v2.filter.FilterTester.Request; import com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors; @@ -48,8 +47,7 @@ public class AuthorizationFilterTest { Zone zone = new Zone(system, Environment.prod, RegionName.defaultName()); return new FilterTester(new AuthorizationFilter( zone, - new MockNodeRepository(new MockCurator(), new MockNodeFlavors()), - new NodeRepositoryConfig(new NodeRepositoryConfig.Builder()))); + new MockNodeRepository(new MockCurator(), new MockNodeFlavors()))); } } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java index 5e643bd09ab..d696328cd7f 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java @@ -13,10 +13,6 @@ import org.junit.Before; import org.junit.Test; import java.net.URI; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashSet; import java.util.List; import java.util.Optional; import java.util.Set; @@ -37,30 +33,27 @@ public class AuthorizerTest { public void before() { NodeFlavors flavors = new MockNodeFlavors(); nodeRepository = new MockNodeRepository(new MockCurator(), flavors); - authorizer = new Authorizer(SystemName.main, nodeRepository, new HashSet<>(Arrays.asList("cfg1", "cfghost1"))); - { // Populate with nodes used in this test. Note that only nodes requiring node repository lookup are added here - Set<String> ipAddresses = new HashSet<>(Arrays.asList("127.0.0.1", "::1")); - Flavor flavor = flavors.getFlavorOrThrow("default"); - List<Node> nodes = new ArrayList<>(); - nodes.add(nodeRepository.createNode("host1", "host1", ipAddresses, - Optional.empty(), flavor, NodeType.host)); - nodes.add(nodeRepository.createNode("child1-1", "child1-1", ipAddresses, - Optional.of("host1"), flavor, NodeType.tenant)); - nodes.add(nodeRepository.createNode("child1-2", "child1-2", ipAddresses, - Optional.of("host1"), flavor, NodeType.tenant)); - - nodes.add(nodeRepository.createNode("host2", "host2", ipAddresses, - Optional.empty(), flavor, NodeType.host)); - nodes.add(nodeRepository.createNode("child2-1", "child2-1", ipAddresses, - Optional.of("host1.tld"), flavor, NodeType.tenant)); - - nodes.add(nodeRepository.createNode("proxy1", "proxy1", ipAddresses, Optional.empty(), - flavor, NodeType.proxy)); - - nodes.add(nodeRepository.createNode("proxy1-host1", "proxy1-host", ipAddresses, - Optional.empty(), flavor, NodeType.proxyhost)); - nodeRepository.addNodes(nodes); - } + authorizer = new Authorizer(SystemName.main, nodeRepository); + + Set<String> ipAddresses = Set.of("127.0.0.1", "::1"); + Flavor flavor = flavors.getFlavorOrThrow("default"); + List<Node> nodes = List.of( + nodeRepository.createNode( + "host1", "host1", ipAddresses, Optional.empty(), flavor, NodeType.host), + nodeRepository.createNode( + "child1-1", "child1-1", ipAddresses, Optional.of("host1"), flavor, NodeType.tenant), + nodeRepository.createNode( + "child1-2", "child1-2", ipAddresses, Optional.of("host1"), flavor, NodeType.tenant), + nodeRepository.createNode( + "host2", "host2", ipAddresses, Optional.empty(), flavor, NodeType.host), + nodeRepository.createNode( + "child2-1", "child2-1", ipAddresses, Optional.of("host1.tld"), flavor, NodeType.tenant), + nodeRepository.createNode( + "proxy1", "proxy1", ipAddresses, Optional.of("proxyhost1"), flavor, NodeType.proxy), + nodeRepository.createNode( + "proxyhost1", "proxyhost1", ipAddresses, Optional.empty(), flavor, NodeType.proxyhost) + ); + nodeRepository.addNodes(nodes); } @Test @@ -106,7 +99,7 @@ public class AuthorizerTest { // Trusted services can access everything in their own system assertFalse(authorizedController("vespa.vespa.cd.hosting", "/")); // Wrong system - assertTrue(new Authorizer(SystemName.cd, nodeRepository, Collections.emptySet()).test(NodePrincipal.withAthenzIdentity("vespa.vespa.cd.hosting", emptyList()), uri("/"))); + assertTrue(new Authorizer(SystemName.cd, nodeRepository).test(NodePrincipal.withAthenzIdentity("vespa.vespa.cd.hosting", emptyList()), uri("/"))); assertTrue(authorizedController("vespa.vespa.hosting", "/")); assertTrue(authorizedController("vespa.vespa.configserver", "/")); assertTrue(authorizedController("vespa.vespa.hosting", "/nodes/v2/node/")); @@ -167,14 +160,7 @@ public class AuthorizerTest { // Node of proxy or proxyhost type can access routing resource assertFalse(authorizedTenantNode("node1", "/routing/v1/status")); assertTrue(authorizedTenantNode("proxy1", "/routing/v1/status")); - assertTrue(authorizedTenantNode("proxy1-host", "/routing/v1/status")); - } - - @Test - public void host_authorization() { - assertTrue(authorizedLegacyNode("cfg1", "/")); - assertTrue(authorizedLegacyNode("cfg1", "/application/v2")); - assertTrue(authorizedLegacyNode("cfghost1", "/application/v2")); + assertTrue(authorizedTenantNode("proxyhost1", "/routing/v1/status")); } @Test |