diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-07-11 10:56:47 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-07-11 10:59:23 +0000 |
commit | 09269e1dd17c2c272ba385293da2848a0ac03b83 (patch) | |
tree | d97decf4f9a0dd61d3471dc48271660d1f25da84 /storage | |
parent | 521fcd62bd25ce159187b68e2845e3615fcd393e (diff) |
Add capability request access filter to internal StorageAPI RPC method
This should always succeed today, as authz rules by default grant
all capabilities. But since this is a very hot call path, we'll
learn very quickly if the capability check incurs a measurable
overhead; it is not expected to do so in practice (really just a
virtual function call and a few bitwise ops).
Diffstat (limited to 'storage')
-rw-r--r-- | storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp b/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp index 006193f0c37..41dcafc055a 100644 --- a/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp +++ b/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp @@ -5,6 +5,7 @@ #include "rpc_envelope_proto.h" #include "shared_rpc_resources.h" #include "storage_api_rpc_service.h" +#include <vespa/fnet/frt/require_capabilities.h> #include <vespa/fnet/frt/supervisor.h> #include <vespa/fnet/frt/target.h> #include <vespa/slobrok/sbmirror.h> @@ -54,6 +55,9 @@ StorageApiRpcService::Params::~Params() = default; void StorageApiRpcService::register_server_methods(SharedRpcResources& rpc_resources) { FRT_ReflectionBuilder rb(&rpc_resources.supervisor()); rb.DefineMethod(rpc_v1_method_name(), "bixbix", "bixbix", FRT_METHOD(StorageApiRpcService::RPC_rpc_v1_send), this); + rb.RequestAccessFilter(std::make_unique<FRT_RequireCapabilities>(vespalib::net::tls::CapabilitySet::of({ + vespalib::net::tls::Capability::content_storage_api() + }))); rb.MethodDesc("V1 of StorageAPI direct RPC protocol"); rb.ParamDesc("header_encoding", "0=raw, 6=lz4"); rb.ParamDesc("header_decoded_size", "Uncompressed header blob size"); |