diff options
author | HÃ¥kon Hallingstad <hakon@verizonmedia.com> | 2019-09-05 19:26:29 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-05 19:26:29 +0200 |
commit | 88af4c79bcf44a6a46e9c4f16c56e8ca7eecb80c (patch) | |
tree | 6424db1f9dd9240368bd5fb16ad24598988a60e2 /node-repository | |
parent | 5923644638f706433c0eea7e00f26e3eba4e4319 (diff) | |
parent | b2a503d3eb688aa4ec63371b605bda6597b21c44 (diff) |
Merge pull request #10522 from vespa-engine/revert-10521-revert-10512-freva/simplify-ip
Remove SSH and fix TODO in node-repo ACL rules take 2
Diffstat (limited to 'node-repository')
6 files changed, 18 insertions, 117 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index fd7397168d5..1fbb83c7718 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -207,9 +207,10 @@ public class NodeRepository extends AbstractComponent { Set<String> trustedNetworks = new LinkedHashSet<>(); // For all cases below, trust: + // - parent host (for health checks and metrics) // - nodes in same application // - load balancers allocated to application - // - ssh + candidates.parentOf(node).ifPresent(trustedNodes::add); node.allocation().ifPresent(allocation -> { trustedNodes.addAll(candidates.owner(allocation.owner()).asList()); loadBalancers.owner(allocation.owner()).asList().stream() @@ -217,17 +218,13 @@ public class NodeRepository extends AbstractComponent { .map(LoadBalancerInstance::networks) .forEach(trustedNetworks::addAll); }); - trustedPorts.add(22); switch (node.type()) { case tenant: // Tenant nodes in other states than ready, trust: // - config servers // - proxy nodes - // - parent (Docker) hosts of already trusted nodes. This is needed in a transition period, while - // we migrate away from IPv4-only nodes trustedNodes.addAll(candidates.nodeType(NodeType.config).asList()); - trustedNodes.addAll(candidates.parentsOf(trustedNodes).asList()); // TODO: Remove when we no longer have IPv4-only nodes trustedNodes.addAll(candidates.nodeType(NodeType.proxy).asList()); if (node.state() == Node.State.ready) { // Tenant nodes in state ready, trust: diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java index 6da72f6ebdd..24b12c4427f 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java @@ -1,7 +1,6 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.provision.provisioning; -import com.google.common.collect.ImmutableSet; import com.yahoo.component.Version; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Capacity; @@ -13,19 +12,14 @@ import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.node.NodeAcl; import org.junit.Test; -import java.util.Arrays; -import java.util.Collection; import java.util.Collections; import java.util.Comparator; -import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Set; import java.util.function.Supplier; import java.util.stream.Collectors; -import static java.util.Collections.emptySet; -import static java.util.Collections.singleton; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -57,11 +51,12 @@ public class AclProvisioningTest { // Get trusted nodes for the first active node Node node = activeNodes.get(0); + Node host = node.parentHostname().flatMap(tester.nodeRepository()::getNode).get(); Supplier<List<NodeAcl>> nodeAcls = () -> tester.nodeRepository().getNodeAcls(node, false); // Trusted nodes are active nodes in same application, proxy nodes and config servers - assertAcls(Arrays.asList(activeNodes, proxyNodes, configServers, dockerHost), - ImmutableSet.of("10.2.3.0/24", "10.4.5.0/24"), + assertAcls(List.of(activeNodes, proxyNodes, configServers, List.of(host)), + Set.of("10.2.3.0/24", "10.4.5.0/24"), nodeAcls.get()); } @@ -82,7 +77,7 @@ public class AclProvisioningTest { List<Node> tenantNodes = tester.nodeRepository().getNodes(NodeType.tenant); // Trusted nodes are all proxy-, config-, and, tenant-nodes - assertAcls(Arrays.asList(proxyNodes, configServers, tenantNodes), nodeAcls); + assertAcls(List.of(proxyNodes, configServers, tenantNodes), nodeAcls); } @Test @@ -103,7 +98,7 @@ public class AclProvisioningTest { List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(node, false); // Trusted nodes is all tenant nodes, all proxy nodes and all config servers - assertAcls(Arrays.asList(tenantNodes, proxyNodes, configServers), nodeAcls); + assertAcls(List.of(tenantNodes, proxyNodes, configServers), nodeAcls); } @Test @@ -124,7 +119,7 @@ public class AclProvisioningTest { List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(node, false); // Trusted nodes is all config servers and all proxy nodes - assertAcls(Arrays.asList(proxyNodes, configServers), nodeAcls); + assertAcls(List.of(proxyNodes, configServers), nodeAcls); } @Test @@ -148,7 +143,7 @@ public class AclProvisioningTest { .findFirst() .orElseThrow(() -> new RuntimeException("Expected to find ACL for node " + dockerNode.hostname())); assertEquals(dockerHostNodeUnderTest.hostname(), dockerNode.parentHostname().get()); - assertAcls(Arrays.asList(configServers, dockerNodes), nodeAcl); + assertAcls(List.of(configServers, dockerNodes, List.of(dockerHostNodeUnderTest)), nodeAcl); } } @@ -162,8 +157,8 @@ public class AclProvisioningTest { // Controllers and hosts all trust each other List<NodeAcl> controllerAcls = tester.nodeRepository().getNodeAcls(controllers.get(0), false); - assertAcls(Collections.singletonList(controllers), controllerAcls); - assertEquals(ImmutableSet.of(22, 4443, 443), controllerAcls.get(0).trustedPorts()); + assertAcls(List.of(controllers), controllerAcls); + assertEquals(Set.of(4443, 443), controllerAcls.get(0).trustedPorts()); } @Test @@ -185,9 +180,9 @@ public class AclProvisioningTest { assertEquals(3, nodeAcls.get(0).trustedNodes().size()); Iterator<Node> trustedNodes = nodeAcls.get(0).trustedNodes().iterator(); - assertEquals(singleton("127.0.1.1"), trustedNodes.next().ipAddresses()); - assertEquals(singleton("127.0.1.2"), trustedNodes.next().ipAddresses()); - assertEquals(singleton("127.0.1.3"), trustedNodes.next().ipAddresses()); + assertEquals(Set.of("127.0.1.1"), trustedNodes.next().ipAddresses()); + assertEquals(Set.of("127.0.1.2"), trustedNodes.next().ipAddresses()); + assertEquals(Set.of("127.0.1.3"), trustedNodes.next().ipAddresses()); } private List<Node> deploy(int nodeCount) { @@ -202,7 +197,7 @@ public class AclProvisioningTest { ClusterSpec cluster = ClusterSpec.request(ClusterSpec.Type.container, ClusterSpec.Id.from("test"), Version.fromString("6.42"), false); List<HostSpec> prepared = tester.prepare(application, cluster, capacity, 1); - tester.activate(application, new HashSet<>(prepared)); + tester.activate(application, Set.copyOf(prepared)); return tester.getNodes(application, Node.State.active).asList(); } @@ -211,12 +206,12 @@ public class AclProvisioningTest { } private static void assertAcls(List<List<Node>> expectedNodes, List<NodeAcl> actual) { - assertAcls(expectedNodes, emptySet(), actual); + assertAcls(expectedNodes, Set.of(), actual); } private static void assertAcls(List<List<Node>> expectedNodes, Set<String> expectedNetworks, List<NodeAcl> actual) { List<Node> expectedTrustedNodes = expectedNodes.stream() - .flatMap(Collection::stream) + .flatMap(List::stream) .distinct() .sorted(Comparator.comparing(Node::hostname)) .collect(Collectors.toList()); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/RestApiTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/RestApiTest.java index ac2276a95b0..44e7d7659ab 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/RestApiTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/RestApiTest.java @@ -381,11 +381,6 @@ public class RestApiTest { } @Test - public void acl_request_by_docker_host() throws Exception { - assertFile(new Request("http://localhost:8080/nodes/v2/acl/dockerhost1.yahoo.com?children=true"), "acl-docker-host.json"); - } - - @Test public void test_invalid_requests() throws Exception { assertResponse(new Request("http://localhost:8080/nodes/v2/node/node-does-not-exist", new byte[0], Request.Method.GET), diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json index e489aec2df6..88e8fb44f9f 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json @@ -226,10 +226,6 @@ "trustedNetworks": [], "trustedPorts": [ { - "port": 22, - "trustedBy": "cfg1.yahoo.com" - }, - { "port": 4443, "trustedBy": "cfg1.yahoo.com" } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json deleted file mode 100644 index 2acc6d42282..00000000000 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "trustedNodes": [ - { - "hostname": "cfg1.yahoo.com", - "type": "config", - "ipAddress": "127.0.201.1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "cfg1.yahoo.com", - "type": "config", - "ipAddress": "::201:1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "cfg2.yahoo.com", - "type": "config", - "ipAddress": "127.0.202.1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "cfg2.yahoo.com", - "type": "config", - "ipAddress": "::202:1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "dockerhost1.yahoo.com", - "type": "host", - "ipAddress": "127.0.100.1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "dockerhost1.yahoo.com", - "type": "host", - "ipAddress": "::100:1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "dockerhost2.yahoo.com", - "type": "host", - "ipAddress": "127.0.101.1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "dockerhost2.yahoo.com", - "type": "host", - "ipAddress": "::101:1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "host4.yahoo.com", - "type": "tenant", - "ipAddress": "127.0.4.1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "host4.yahoo.com", - "type": "tenant", - "ipAddress": "::4:1", - "trustedBy": "host4.yahoo.com" - }, - { - "hostname": "test-node-pool-101-2", - "type": "tenant", - "ipAddress": "::101:2", - "trustedBy": "host4.yahoo.com" - } - ], - "trustedNetworks": [], - "trustedPorts": [ - { - "port": 22, - "trustedBy": "host4.yahoo.com" - } - ] -} diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json index 5fe28550837..040b2ebe167 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json @@ -170,10 +170,5 @@ } ], "trustedNetworks": [], - "trustedPorts": [ - { - "port": 22, - "trustedBy": "foo.yahoo.com" - } - ] + "trustedPorts": [] } |