diff options
| author | Andreas Eriksen <andreer@yahoo-inc.com> | 2017-02-15 15:40:49 +0100 |
|---|---|---|
| committer | Andreas Eriksen <andreer@yahoo-inc.com> | 2017-02-15 15:40:49 +0100 |
| commit | 70ff7d0d05ab52b7ed7ee4cf2092c9f024e32c47 (patch) | |
| tree | 394093abdc2b2bfab1f5b74e319669a7fdcb36f5 /node-repository | |
| parent | e4d939e2a47311bfff34f284146409c58e2e1ce0 (diff) | |
trust docker hosts
Diffstat (limited to 'node-repository')
2 files changed, 17 insertions, 1 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index fb1f9edad31..a214a8c0398 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -158,6 +158,9 @@ public class NodeRepository extends AbstractComponent { switch (node.type()) { case tenant: // Tenant nodes trust nodes in same application and all infrastructure nodes + // They also trust all traffic from Docker hosts of trusted nodes, + // as it may be NATed traffic from trusted Docker containers + trustedNodes.addAll(getDockerHosts(trustedNodes)); // TODO: Remove when we no longer have IPv4-only nodes trustedNodes.addAll(getNodes(NodeType.proxy)); trustedNodes.addAll(getConfigNodes()); break; @@ -465,6 +468,17 @@ public class NodeRepository extends AbstractComponent { .collect(Collectors.toList()); } + private List<Node> getDockerHosts(List<Node> nodes) { + return nodes.stream() + .map(Node::parentHostname) + .filter(Optional::isPresent) + .map(Optional::get) + .map(hostName -> getNode(hostName, Node.State.ready)) + .filter(Optional::isPresent) + .map(Optional::get) + .collect(Collectors.toList()); + } + /** Returns the time keeper of this system */ public Clock clock() { return clock; } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java index 1ed2bcd47ff..27b321b0673 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java @@ -50,6 +50,8 @@ public class AclProvisioningTest { // Populate repo tester.makeReadyNodes(10, "default"); + List<Node> dockerHost = tester.makeReadyNodes(1, "default", NodeType.host); + tester.makeReadyDockerNodes(1, "default", dockerHost.get(0).id()); List<Node> proxyNodes = tester.makeReadyNodes(3, "default", NodeType.proxy); // Allocate 2 nodes @@ -61,7 +63,7 @@ public class AclProvisioningTest { List<NodeAcl> nodeAcls = tester.nodeRepository().getNodeAcls(node, false); // Trusted nodes is active nodes in same application, proxy nodes and config servers - assertAcls(Arrays.asList(activeNodes, proxyNodes, configServers), nodeAcls); + assertAcls(Arrays.asList(activeNodes, proxyNodes, configServers, dockerHost), nodeAcls); } @Test |