diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-13 14:04:43 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-02-13 14:36:57 +0100 |
commit | 4887b76984bb002dcfc97db45431411ef5ba6fa0 (patch) | |
tree | b95092ee1afb2f0b1283a18ca292661fee920581 /security-utils | |
parent | 495c0799f0761c2b664eca5ca1f750b1fa4c3b9c (diff) |
Add new capabilities in node specific capability sets
Diffstat (limited to 'security-utils')
3 files changed, 24 insertions, 11 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java index d30ef3fdf24..8cb98a0dd59 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/Capability.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java @@ -29,6 +29,8 @@ public enum Capability implements ToCapabilitySet { LOGSERVER_API("vespa.logserver.api"), METRICSPROXY__MANAGEMENT_API("vespa.metricsproxy.management_api"), METRICSPROXY__METRICS_API("vespa.metricsproxy.metrics_api"), + SENTINEL__CONNECTIVITY_CHECK("vespa.sentinel.connectivity_check"), + SENTINEL__MANAGEMENT_API("vespa.sentinel.management_api"), SLOBROK__API("vespa.slobrok.api"), ; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java index fa67ab4fe23..cc5bdbeafd3 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java @@ -21,21 +21,33 @@ public class CapabilitySet implements ToCapabilitySet { private static final Map<String, CapabilitySet> PREDEFINED = new HashMap<>(); + private static final CapabilitySet SHARED_CAPABILITIES_APP_NODE = CapabilitySet.of( + Capability.LOGSERVER_API, Capability.CONFIGSERVER__CONFIG_API, + Capability.CONFIGSERVER__FILEDISTRIBUTION_API, Capability.CONFIGPROXY__CONFIG_API, + Capability.CONFIGPROXY__FILEDISTRIBUTION_API, Capability.SENTINEL__CONNECTIVITY_CHECK); + /* Predefined capability sets */ + public static final CapabilitySet ALL = predefined( + "vespa.all", Capability.values()); + public static final CapabilitySet TELEMETRY = predefined( + "vespa.telemetry", + Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API); public static final CapabilitySet CONTENT_NODE = predefined( "vespa.content_node", - Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.SLOBROK__API); + Capability.CONTENT__STORAGE_API, Capability.CONTENT__DOCUMENT_API, Capability.CONTAINER__DOCUMENT_API, + SHARED_CAPABILITIES_APP_NODE); public static final CapabilitySet CONTAINER_NODE = predefined( "vespa.container_node", - Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, Capability.SLOBROK__API); - public static final CapabilitySet TELEMETRY = predefined( - "vespa.telemetry", - Capability.CONTENT__STATUS_PAGES, Capability.CONTENT__METRICS_API); + Capability.CONTENT__DOCUMENT_API, Capability.CONTENT__SEARCH_API, SHARED_CAPABILITIES_APP_NODE); public static final CapabilitySet CLUSTER_CONTROLLER_NODE = predefined( "vespa.cluster_controller_node", - Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API); - public static final CapabilitySet CONFIG_SERVER = predefined( - "vespa.config_server"); + Capability.CONTENT__CLUSTER_CONTROLLER__INTERNAL_STATE_API, Capability.SLOBROK__API, + Capability.CLIENT__SLOBROK_API, Capability.CONTAINER__DOCUMENT_API, SHARED_CAPABILITIES_APP_NODE); + public static final CapabilitySet LOGSERVER_NODE = predefined( + "vespa.logserver_node", SHARED_CAPABILITIES_APP_NODE); + public static final CapabilitySet CONFIGSERVER_NODE = predefined( + "vespa.config_server_node", + Capability.CLIENT__FILERECEIVER_API, Capability.CONTAINER__MANAGEMENT_API, TELEMETRY); private static CapabilitySet predefined(String name, ToCapabilitySet... capabilities) { var instance = CapabilitySet.of(capabilities); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java index 11fd933a562..7092486e521 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/ConnectionAuthContextTest.java @@ -37,8 +37,7 @@ class ConnectionAuthContextTest { CapabilitySet requiredCaps = CapabilitySet.of(Capability.CONTENT__STATUS_PAGES); String expectedMessage = """ Permission denied for 'myaction' on 'myresource'. Peer 'mypeer' with [CN='myidentity']. - Requires capabilities [vespa.content.status_pages] but peer has - [vespa.content.document_api, vespa.content.search_api, vespa.slobrok.api]. + Requires capabilities [vespa.content.status_pages] but peer has [vespa.logserver.api]. """; String actualMessage = ctx.createPermissionDeniedErrorMessage(requiredCaps, "myaction", "myresource", "mypeer"); assertThat(actualMessage).isEqualToIgnoringWhitespace(expectedMessage); @@ -46,7 +45,7 @@ class ConnectionAuthContextTest { private static ConnectionAuthContext createConnectionAuthContext() { return new ConnectionAuthContext( - List.of(createCertificate()), CapabilitySet.CONTAINER_NODE, Set.of(), + List.of(createCertificate()), CapabilitySet.of(Capability.LOGSERVER_API), Set.of(), CapabilityMode.ENFORCE); } |