diff options
author | valerijf <valerijf@yahoo-inc.com> | 2017-06-28 16:11:01 +0200 |
---|---|---|
committer | valerijf <valerijf@yahoo-inc.com> | 2017-06-28 16:11:01 +0200 |
commit | 142b891ec5120a4653c2d6d8a5d8406ae71731ec (patch) | |
tree | 4007811261a83e1ba09b799fa042de4c868d4047 /node-repository | |
parent | 96d2113c2adaf6a3bd4bd0182faad10135d982a9 (diff) |
Add docker bridge network to ACL spec
Diffstat (limited to 'node-repository')
2 files changed, 42 insertions, 29 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index a61565126ef..fde5669bfd5 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -32,6 +32,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.Comparator; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Optional; @@ -164,8 +165,9 @@ public class NodeRepository extends AbstractComponent { /** * Returns a set of nodes that should be trusted by the given node. */ - private Set<Node> getTrustedNodes(Node node, NodeList candidates) { + private NodeAcl getNodeAcl(Node node, NodeList candidates) { Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname)); + Set<String> trustedNetworks = new HashSet<>(); // For all cases below, trust: // - nodes in same application @@ -196,8 +198,12 @@ public class NodeRepository extends AbstractComponent { break; case proxy: + // No special rules for proxies + break; + case host: - // No special rules for proxies and Docker hosts + // Docker bridge network + trustedNetworks.add("172.17.0.0/16"); break; default: @@ -206,7 +212,7 @@ public class NodeRepository extends AbstractComponent { node.hostname(), node.type())); } - return Collections.unmodifiableSet(trustedNodes); + return new NodeAcl(node, trustedNodes, trustedNetworks); } /** @@ -217,17 +223,14 @@ public class NodeRepository extends AbstractComponent { * @return List of node ACLs */ public List<NodeAcl> getNodeAcls(Node node, boolean children) { - List<NodeAcl> nodeAcls = new ArrayList<>(); - NodeList candidates = new NodeList(getNodes()); if (children) { - List<Node> childNodes = candidates.childNodes(node).asList(); - childNodes.forEach(childNode -> nodeAcls.add(new NodeAcl(childNode, getTrustedNodes(childNode, candidates)))); + return candidates.childNodes(node).asList().stream() + .map(childNode -> getNodeAcl(childNode, candidates)) + .collect(Collectors.collectingAndThen(Collectors.toList(), Collections::unmodifiableList)); } else { - nodeAcls.add(new NodeAcl(node, getTrustedNodes(node, candidates))); + return Collections.singletonList(getNodeAcl(node, candidates)); } - - return Collections.unmodifiableList(nodeAcls); } /** Get config node by hostname */ diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java index 3b7a14000ec..134808b7114 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java @@ -22,7 +22,6 @@ import java.util.Comparator; import java.util.HashSet; import java.util.Iterator; import java.util.List; -import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; @@ -40,6 +39,8 @@ public class AclProvisioningTest { private ProvisioningTester tester; private MockNameResolver nameResolver; + private final List<String> dockerBridgeNetwork = Collections.singletonList("172.17.0.0/16"); + @Before public void before() { this.curator = new MockCurator(); @@ -146,31 +147,27 @@ public class AclProvisioningTest { List<NodeAcl> acls = tester.nodeRepository().getNodeAcls(dockerHostNodes.get(0), false); // Trusted nodes is all Docker hosts and all config servers - assertAcls(Arrays.asList(dockerHostNodes, configServers), acls.get(0)); + assertAcls(Arrays.asList(dockerHostNodes, configServers), dockerBridgeNetwork, acls.get(0)); } @Test - public void trusted_nodes_for_docker_hosts_and_proxy_nodes_in_zone_application() { + public void trusted_nodes_for_docker_hosts_nodes_in_zone_application() { ApplicationId applicationId = tester.makeApplicationId(); // use same id for both allocate calls below List<Node> configServers = setConfigServers("cfg1:1234,cfg2:1234,cfg3:1234"); // Populate repo - tester.makeReadyNodes(3, "default", NodeType.proxy); tester.makeReadyNodes(2, "default", NodeType.host); - // Allocate 3 proxy nodes - List<Node> activeProxyNodes = allocateNodes(NodeType.proxy, applicationId); - assertEquals(3, activeProxyNodes.size()); - // Allocate 2 Docker hosts, a total of 5 hosts - List<Node> activeDockerHostsAndProxyNodes = allocateNodes(NodeType.host, applicationId); - assertEquals(5, activeDockerHostsAndProxyNodes.size()); + // Allocate 2 Docker hosts + List<Node> activeDockerHostNodes = allocateNodes(NodeType.host, applicationId); + assertEquals(2, activeDockerHostNodes.size()); // Check trusted nodes for all nodes - activeDockerHostsAndProxyNodes.forEach(node -> { + activeDockerHostNodes.forEach(node -> { System.out.println("Checking node " + node); List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(node, false); - assertAcls(Arrays.asList(activeDockerHostsAndProxyNodes, configServers), nodeAcls); + assertAcls(Arrays.asList(activeDockerHostNodes, configServers), dockerBridgeNetwork, nodeAcls); }); } @@ -238,17 +235,30 @@ public class AclProvisioningTest { } private static void assertAcls(List<List<Node>> expected, NodeAcl actual) { - assertAcls(expected, Collections.singletonList(actual)); + assertAcls(expected, Collections.emptyList(), Collections.singletonList(actual)); } private static void assertAcls(List<List<Node>> expected, List<NodeAcl> actual) { - List<Node> nodes = expected.stream() + assertAcls(expected, Collections.emptyList(), actual); + } + + private static void assertAcls(List<List<Node>> expected, List<String> expectedNetworks, NodeAcl actual) { + assertAcls(expected, expectedNetworks, Collections.singletonList(actual)); + } + + private static void assertAcls(List<List<Node>> expectedNodes, List<String> expectedNetworks, List<NodeAcl> actual) { + Set<Node> expectedTrustedNodes = expectedNodes.stream() .flatMap(Collection::stream) - .sorted(Comparator.comparing(Node::hostname)) - .collect(Collectors.toList()); - List<Node> trustedNodes = actual.stream() + .collect(Collectors.toSet()); + Set<Node> actualTrustedNodes = actual.stream() .flatMap(acl -> acl.trustedNodes().stream()) - .collect(Collectors.toList()); - assertEquals(nodes, trustedNodes); + .collect(Collectors.toSet()); + assertEquals(expectedTrustedNodes, actualTrustedNodes); + + Set<String> expectedTrustedNetworks = new HashSet<>(expectedNetworks); + Set<String> actualTrustedNetworks = actual.stream() + .flatMap(acl -> acl.trustedNetworks().stream()) + .collect(Collectors.toSet()); + assertEquals(expectedTrustedNetworks, actualTrustedNetworks); } } |