diff options
Diffstat (limited to 'configserver')
3 files changed, 11 insertions, 32 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java index c7bbecc157c..5c760f0a25a 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/DefaultRpcAuthorizerProvider.java @@ -24,25 +24,15 @@ public class DefaultRpcAuthorizerProvider implements Provider<RpcAuthorizer> { public DefaultRpcAuthorizerProvider(ConfigserverConfig config, NodeIdentifier nodeIdentifier, HostRegistries hostRegistries, - RequestHandlerProvider handlerProvider, - FlagSource flagSource) { - String authorizerMode = Flags.CONFIGSERVER_RPC_AUTHORIZER.bindTo(flagSource).value(); + RequestHandlerProvider handlerProvider) { boolean useMultiTenantAuthorizer = - TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa() && !authorizerMode.equals("disable"); + TransportSecurityUtils.isTransportSecurityEnabled() && config.multitenant() && config.hostedVespa(); this.rpcAuthorizer = useMultiTenantAuthorizer - ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider, toMultiTenantRpcAuthorizerMode(authorizerMode), getThreadPoolSize(config)) + ? new MultiTenantRpcAuthorizer(nodeIdentifier, hostRegistries, handlerProvider, getThreadPoolSize(config)) : new NoopRpcAuthorizer(); } - private static MultiTenantRpcAuthorizer.Mode toMultiTenantRpcAuthorizerMode(String authorizerMode) { - switch (authorizerMode) { - case "log-only": return MultiTenantRpcAuthorizer.Mode.LOG_ONLY; - case "enforce": return MultiTenantRpcAuthorizer.Mode.ENFORCE; - default: throw new IllegalArgumentException("Invalid authorizer mode: " + authorizerMode); - } - } - private static int getThreadPoolSize(ConfigserverConfig config) { return config.numRpcThreads() != 0 ? config.numRpcThreads() : 8; } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java index 86fee1ab9bc..d20f9ed1abc 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java @@ -39,38 +39,31 @@ import java.util.logging.Logger; */ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { - public enum Mode { LOG_ONLY, ENFORCE } - private static final Logger log = Logger.getLogger(MultiTenantRpcAuthorizer.class.getName()); private final NodeIdentifier nodeIdentifier; private final HostRegistry<TenantName> hostRegistry; private final RequestHandlerProvider handlerProvider; private final Executor executor; - private final Mode mode; public MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier, HostRegistries hostRegistries, RequestHandlerProvider handlerProvider, - Mode mode, int threadPoolSize) { this(nodeIdentifier, hostRegistries.getTenantHostRegistry(), handlerProvider, - Executors.newFixedThreadPool(threadPoolSize, new DaemonThreadFactory("multi-tenant-rpc-authorizer-")), - mode); + Executors.newFixedThreadPool(threadPoolSize, new DaemonThreadFactory("multi-tenant-rpc-authorizer-"))); } MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier, HostRegistry<TenantName> hostRegistry, RequestHandlerProvider handlerProvider, - Executor executor, - Mode mode) { + Executor executor) { this.nodeIdentifier = nodeIdentifier; this.hostRegistry = hostRegistry; this.handlerProvider = handlerProvider; this.executor = executor; - this.mode = mode; } @Override @@ -158,15 +151,13 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer { } private void handleAuthorizationFailure(Request request, Throwable throwable) { - String errorMessage = String.format("For request '%s' from '%s' (mode=%s): %s", request.methodName(), request.target().toString(), mode.toString(), throwable.getMessage()); + String errorMessage = String.format("For request '%s' from '%s': %s", request.methodName(), request.target().toString(), throwable.getMessage()); log.log(LogLevel.INFO, errorMessage); log.log(LogLevel.DEBUG, throwable, throwable::getMessage); - if (mode == Mode.ENFORCE) { - JrtErrorCode error = throwable instanceof AuthorizationException ? JrtErrorCode.UNAUTHORIZED : JrtErrorCode.AUTHORIZATION_FAILED; - request.setError(error.code, errorMessage); - request.returnRequest(); - throwUnchecked(throwable); // rethrow exception to ensure that subsequent completion stages are not executed (don't execute implementation of rpc method). - } + JrtErrorCode error = throwable instanceof AuthorizationException ? JrtErrorCode.UNAUTHORIZED : JrtErrorCode.AUTHORIZATION_FAILED; + request.setError(error.code, errorMessage); + request.returnRequest(); + throwUnchecked(throwable); // rethrow exception to ensure that subsequent completion stages are not executed (don't execute implementation of rpc method). } // TODO Make peer identity mandatory once TLS mixed mode is removed diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java index 9f5a297103d..5a7ac665463 100644 --- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java +++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java @@ -44,7 +44,6 @@ import java.util.Set; import java.util.concurrent.ExecutionException; import java.util.concurrent.Executor; -import static com.yahoo.vespa.config.server.rpc.security.MultiTenantRpcAuthorizer.Mode.ENFORCE; import static java.time.temporal.ChronoUnit.DAYS; import static org.hamcrest.core.IsInstanceOf.instanceOf; import static org.mockito.Mockito.mock; @@ -236,8 +235,7 @@ public class MultiTenantRpcAuthorizerTest { new StaticNodeIdentifier(identity), hostRegistry, createRequestHandlerProviderMock(), - new DirectExecutor(), - ENFORCE); + new DirectExecutor()); } private static Request createConfigRequest(ConfigKey<?> configKey, HostName hostName) { |