Ready tenant nodes trust all other tenant nodes

author: Martin Polden <martin.polden@gmail.com> 2017-03-21 15:01:05 +0100
committer: Martin Polden <martin.polden@gmail.com> 2017-03-21 15:15:02 +0100
commit: fae9a0500f4c840dacc574ffa9738f9e8fcf695a (patch)
tree: 28ccf7c5aa69e5e3892ca97364b1bb827c9635e2 /node-repository
parent: 019b69f8bf35d30e4e2e14add037f87ff6631467 (diff)
2 files changed, 26 insertions, 15 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index 417f0f27bf0..8d850d60cd8 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -153,23 +153,31 @@ public class NodeRepository extends AbstractComponent {
     private Set<Node> getTrustedNodes(Node node) {
         final Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname));
 
-        // For all cases below:
-        // - Trust nodes in same application
-        // - All config servers
+        // For all cases below, trust:
+        // - nodes in same application
+        // - config servers
         node.allocation().ifPresent(allocation -> trustedNodes.addAll(getNodes(allocation.owner())));
         trustedNodes.addAll(getConfigNodes());
 
         switch (node.type()) {
             case tenant:
-                // Tenant nodes trust nodes in same application and all infrastructure nodes
-                // They also trust all traffic from Docker hosts of trusted nodes,
-                // as it may be NATed traffic from trusted Docker containers
+                // Tenant nodes in other states than ready, trust:
+                // - proxy nodes
+                // - parent (Docker) hosts of already trusted nodes. This is needed in a transition period, while
+                //   we migrate away from IPv4-only nodes
                 trustedNodes.addAll(getDockerHosts(trustedNodes)); // TODO: Remove when we no longer have IPv4-only nodes
                 trustedNodes.addAll(getNodes(NodeType.proxy));
+                if (node.state() == Node.State.ready) {
+                    // Tenant nodes in state ready, trust:
+                    // - All tenant nodes in zone. When a ready node is allocated to a an application there's a brief
+                    //   window where current ACLs have not yet been applied on the node. To avoid service disruption
+                    //   during this window, ready tenant nodes trust all other tenant nodes.
+                    trustedNodes.addAll(getNodes(NodeType.tenant));
+                }
                 break;
 
             case config:
-                // Config servers trust all nodes in the zone
+                // Config servers trust all nodes
                 trustedNodes.addAll(getNodes());
                 break;
 
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index a02a5803f43..a1270f5f821 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -72,15 +72,19 @@ public class AclProvisioningTest {
         List<Node> configServers = setConfigServers("cfg1:1234,cfg2:1234,cfg3:1234");
 
         // Populate repo
-        List<Node> readyNodes = tester.makeReadyNodes(10, "default");
+        tester.makeReadyNodes(10, "default");
         List<Node> proxyNodes = tester.makeReadyNodes(3, "default", NodeType.proxy);
 
-        // Get trusted nodes for the first ready node
-        Node node = readyNodes.get(0);
+        // Allocate 2 nodes to an application
+        allocateNodes(2);
+
+        // Get trusted nodes for a ready node
+        Node node = tester.nodeRepository().getNodes(Node.State.ready).get(0);
         List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(node, false);
+        List<Node> tenantNodes = tester.nodeRepository().getNodes(NodeType.tenant);
 
-        // Trusted nodes is proxy nodes and config servers
-        assertAcls(Arrays.asList(proxyNodes, configServers), nodeAcls);
+        // Trusted nodes are all proxy-, config-, and, tenant-nodes
+        assertAcls(Arrays.asList(proxyNodes, configServers, tenantNodes), nodeAcls);
     }
 
     @Test
@@ -189,8 +193,7 @@ public class AclProvisioningTest {
                     .findFirst()
                     .orElseThrow(() -> new RuntimeException("Expected to find ACL for node " + dockerNode.hostname()));
             assertEquals(dockerHostNodeUnderTest.hostname(), dockerNode.parentHostname().get());
-            // Since the containers are unallocated, they only trust Docker hosts config servers
-            assertAcls(Collections.singletonList(configServers), nodeAcl);
+            assertAcls(Arrays.asList(configServers, dockerNodes), nodeAcl);
         }
     }
 
@@ -201,7 +204,7 @@ public class AclProvisioningTest {
                 .addRecord("cfg2", "127.0.0.2")
                 .addRecord("cfg3", "127.0.0.3");
 
-        List<Node> readyNodes = tester.makeReadyNodes(1, "default", NodeType.tenant);
+        List<Node> readyNodes = tester.makeReadyNodes(1, "default", NodeType.proxy);
         List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(readyNodes.get(0), false);
 
         assertEquals(3, nodeAcls.get(0).trustedNodes().size());
author	Martin Polden <martin.polden@gmail.com>	2017-03-21 15:01:05 +0100
committer	Martin Polden <martin.polden@gmail.com>	2017-03-21 15:15:02 +0100
commit	fae9a0500f4c840dacc574ffa9738f9e8fcf695a (patch)
tree	28ccf7c5aa69e5e3892ca97364b1bb827c9635e2 /node-repository
parent	019b69f8bf35d30e4e2e14add037f87ff6631467 (diff)