diff options
| author | Torbjørn Smørgrav <smorgrav@users.noreply.github.com> | 2018-04-12 09:33:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-12 09:33:20 +0200 |
| commit | fa78c43fbd55b2afa6263572549729dbeaaaf8fd (patch) | |
| tree | 6f5e50b0c5aac92f9d3b7d59ed06410031add5a2 /node-repository | |
| parent | 8b97e6521c6469bd5b4b0f8807100e51905a9d0f (diff) | |
| parent | e394e655bf33de15ca385c4b90012f06a451cf20 (diff) | |
Merge pull request #5513 from vespa-engine/smorgrav/aclmaintainer
AclMaintainer with dual stack and cfg/proxy container support
Diffstat (limited to 'node-repository')
6 files changed, 45 insertions, 13 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index 2ef79ec53dd..4bf7e70d06b 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -166,11 +166,12 @@ public class NodeRepository extends AbstractComponent { public List<Node> getFailed() { return db.getNodes(Node.State.failed); } /** - * Returns a set of nodes that should be trusted by the given node. + * Returns the ACL for the node (trusted nodes, networks and ports) */ private NodeAcl getNodeAcl(Node node, NodeList candidates) { Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname)); Set<String> trustedNetworks = new HashSet<>(); + Set<Integer> trustedPorts = new HashSet<>(); // For all cases below, trust: // - nodes in same application @@ -198,13 +199,18 @@ public class NodeRepository extends AbstractComponent { case config: // Config servers trust all nodes trustedNodes.addAll(candidates.asList()); + + // And all connections on 4443 + trustedPorts.add(4443); break; case proxy: - // No special rules for proxies + // Accept connections from the world on 4443 + trustedPorts.add(4443); break; case host: + // This is only needed for macvlan networks - for nated networks this is handled elsewhere. // Docker bridge network trustedNetworks.add("172.17.0.0/16"); break; @@ -215,7 +221,7 @@ public class NodeRepository extends AbstractComponent { node.hostname(), node.type())); } - return new NodeAcl(node, trustedNodes, trustedNetworks); + return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts); } /** diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index a6190f41c07..34a8b414ef4 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -17,11 +17,13 @@ public class NodeAcl { private final Node node; private final Set<Node> trustedNodes; private final Set<String> trustedNetworks; + private final Set<Integer> trustedPorts; - public NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks) { + public NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks, Set<Integer> trustedPorts) { this.node = node; this.trustedNodes = ImmutableSet.copyOf(trustedNodes); this.trustedNetworks = ImmutableSet.copyOf(trustedNetworks); + this.trustedPorts = ImmutableSet.copyOf(trustedPorts); } public Node node() { @@ -35,4 +37,8 @@ public class NodeAcl { public Set<String> trustedNetworks() { return trustedNetworks; } + + public Set<Integer> trustedPorts() { + return trustedPorts; + } } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java index 65b727ad0dd..e9b3ea5e726 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/NodeAclResponse.java @@ -13,6 +13,7 @@ import com.yahoo.vespa.hosted.provision.node.NodeAcl; import java.io.File; import java.io.IOException; import java.io.OutputStream; +import java.util.List; import java.util.Set; /** @@ -42,13 +43,16 @@ public class NodeAclResponse extends HttpResponse { .orElseGet(() -> nodeRepository.getConfigNode(hostname) .orElseThrow(() -> new NotFoundException("No node with hostname '" + hostname + "'"))); + List<NodeAcl> acls = nodeRepository.getNodeAcls(node, aclsForChildren); + Cursor trustedNodesArray = object.setArray("trustedNodes"); - nodeRepository.getNodeAcls(node, aclsForChildren).forEach(nodeAcl -> toSlime(nodeAcl, trustedNodesArray)); + acls.forEach(nodeAcl -> toSlime(nodeAcl, trustedNodesArray)); Cursor trustedNetworksArray = object.setArray("trustedNetworks"); - nodeRepository.getNodeAcls(node, aclsForChildren).forEach(nodeAcl -> toSlime(nodeAcl.trustedNetworks(), - nodeAcl.node(), - trustedNetworksArray)); + acls.forEach(nodeAcl -> toSlime(nodeAcl.trustedNetworks(), nodeAcl.node(), trustedNetworksArray)); + + Cursor trustedPortsArray = object.setArray("trustedPorts"); + acls.forEach(nodeAcl -> toSlime(nodeAcl.trustedPorts(), nodeAcl, trustedPortsArray)); } private void toSlime(NodeAcl nodeAcl, Cursor array) { @@ -61,11 +65,19 @@ public class NodeAclResponse extends HttpResponse { })); } - private void toSlime(Set<String> trustedNetworks, Node trustedBy, Cursor array) { + private void toSlime(Set<String> trustedNetworks, Node trustedby, Cursor array) { trustedNetworks.forEach(network -> { Cursor object = array.addObject(); object.setString("network", network); - object.setString("trustedBy", trustedBy.hostname()); + object.setString("trustedBy", trustedby.hostname()); + }); + } + + private void toSlime(Set<Integer> trustedPorts, NodeAcl trustedBy, Cursor array) { + trustedPorts.forEach(port -> { + Cursor object = array.addObject(); + object.setLong("port", port); + object.setString("trustedBy", trustedBy.node().hostname()); }); } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json index 775d33a3a19..ca3556af805 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json @@ -193,5 +193,11 @@ "trustedBy": "cfg1" } ], - "trustedNetworks": [] + "trustedNetworks": [], + "trustedPorts": [ + { + "port": 4443, + "trustedBy": "cfg1" + } + ] } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json index f13730ba066..ec423ed0dc5 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-docker-host.json @@ -84,5 +84,6 @@ "network": "172.17.0.0/16", "trustedBy": "dockerhost1.yahoo.com" } - ] + ], + "trustedPorts": [] } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json index b2184c9d825..2f37c1859a2 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json @@ -139,5 +139,6 @@ "trustedBy": "foo.yahoo.com" } ], - "trustedNetworks": [] + "trustedNetworks": [], + "trustedPorts":[] } |