summaryrefslogtreecommitdiffstats
path: root/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver
diff options
context:
space:
mode:
Diffstat (limited to 'node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java32
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java12
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java7
3 files changed, 40 insertions, 11 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
index 87dd42d8008..311a95e1a12 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
@@ -23,25 +23,28 @@ import java.util.stream.Collectors;
*/
public class Acl {
- public static final Acl EMPTY = new Acl(Set.of(), Set.of(), Set.of());
+ public static final Acl EMPTY = new Acl(Set.of(), Set.of(), Set.of(), Set.of());
private final Set<Node> trustedNodes;
private final Set<Integer> trustedPorts;
+ private final Set<Integer> trustedUdpPorts;
private final Set<String> trustedNetworks;
/**
- * @param trustedPorts Ports to trust
+ * @param trustedPorts TCP Ports to trust
+ * @param trustedUdpPorts UDP ports to trust
* @param trustedNodes Nodes to trust
* @param trustedNetworks Networks (in CIDR notation) to trust
*/
- public Acl(Set<Integer> trustedPorts, Set<Node> trustedNodes, Set<String> trustedNetworks) {
+ public Acl(Set<Integer> trustedPorts, Set<Integer> trustedUdpPorts, Set<Node> trustedNodes, Set<String> trustedNetworks) {
this.trustedNodes = copyOfNullable(trustedNodes);
this.trustedPorts = copyOfNullable(trustedPorts);
+ this.trustedUdpPorts = copyOfNullable(trustedUdpPorts);
this.trustedNetworks = copyOfNullable(trustedNetworks);
}
public Acl(Set<Integer> trustedPorts, Set<Node> trustedNodes) {
- this(trustedPorts, trustedNodes, Set.of());
+ this(trustedPorts, Set.of(), trustedNodes, Set.of());
}
public List<String> toRules(IPVersion ipVersion) {
@@ -66,6 +69,11 @@ public class Acl {
rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(trustedPorts) + " -j ACCEPT");
}
+ // Allow trusted UDP ports if any
+ if (!trustedUdpPorts.isEmpty()) {
+ rules.add("-A INPUT -p udp -m multiport --dports " + joinPorts(trustedUdpPorts) + " -j ACCEPT");
+ }
+
// Allow traffic from trusted nodes, limited to specific ports, if any
getTrustedNodes(ipVersion).stream()
.map(node -> {
@@ -113,8 +121,8 @@ public class Acl {
return trustedPorts;
}
- public Set<Integer> getTrustedPorts(IPVersion ipVersion) {
- return trustedPorts;
+ public Set<Integer> getTrustedUdpPorts() {
+ return trustedUdpPorts;
}
@Override
@@ -124,12 +132,13 @@ public class Acl {
Acl acl = (Acl) o;
return trustedNodes.equals(acl.trustedNodes) &&
trustedPorts.equals(acl.trustedPorts) &&
+ trustedUdpPorts.equals(acl.trustedUdpPorts) &&
trustedNetworks.equals(acl.trustedNetworks);
}
@Override
public int hashCode() {
- return Objects.hash(trustedNodes, trustedPorts, trustedNetworks);
+ return Objects.hash(trustedNodes, trustedPorts, trustedUdpPorts, trustedNetworks);
}
@Override
@@ -137,6 +146,7 @@ public class Acl {
return "Acl{" +
"trustedNodes=" + trustedNodes +
", trustedPorts=" + trustedPorts +
+ ", trustedUdpPorts=" + trustedUdpPorts +
", trustedNetworks=" + trustedNetworks +
'}';
}
@@ -175,6 +185,7 @@ public class Acl {
private final Set<Node> trustedNodes = new HashSet<>();
private final Set<Integer> trustedPorts = new HashSet<>();
+ private final Set<Integer> trustedUdpPorts = new HashSet<>();
private final Set<String> trustedNetworks = new HashSet<>();
public Builder() { }
@@ -207,13 +218,18 @@ public class Acl {
return this;
}
+ public Builder withTrustedUdpPorts(Integer... ports) {
+ trustedUdpPorts.addAll(List.of(ports));
+ return this;
+ }
+
public Builder withTrustedNetworks(Set<String> networks) {
trustedNetworks.addAll(networks);
return this;
}
public Acl build() {
- return new Acl(trustedPorts, trustedNodes, trustedNetworks);
+ return new Acl(trustedPorts, trustedUdpPorts, trustedNodes, trustedNetworks);
}
}
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java
index 36a4703a415..c15998a48df 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java
@@ -91,6 +91,12 @@ public class RealNodeRepository implements NodeRepository {
GetAclResponse.Port::getTrustedBy,
Collectors.mapping(port -> port.port, Collectors.toSet())));
+ // Group UDP ports by container hostname that trusts them
+ Map<String, Set<Integer>> trustedUdpPorts = response.trustedUdpPorts.stream()
+ .collect(Collectors.groupingBy(
+ GetAclResponse.Port::getTrustedBy,
+ Collectors.mapping(port -> port.port, Collectors.toSet())));
+
// Group node ip-addresses by container hostname that trusts them
Map<String, Set<Acl.Node>> trustedNodes = response.trustedNodes.stream()
.collect(Collectors.groupingBy(
@@ -106,12 +112,14 @@ public class RealNodeRepository implements NodeRepository {
// For each hostname create an ACL
- return Stream.of(trustedNodes.keySet(), trustedPorts.keySet(), trustedNetworks.keySet())
+ return Stream.of(trustedNodes.keySet(), trustedPorts.keySet(), trustedUdpPorts.keySet(), trustedNetworks.keySet())
.flatMap(Set::stream)
.distinct()
.collect(Collectors.toMap(
Function.identity(),
- hostname -> new Acl(trustedPorts.get(hostname), trustedNodes.get(hostname),
+ hostname -> new Acl(trustedPorts.get(hostname),
+ trustedUdpPorts.get(hostname),
+ trustedNodes.get(hostname),
trustedNetworks.get(hostname))));
}
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java
index 08d145b3ac8..6e12d55888f 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java
@@ -24,13 +24,18 @@ public class GetAclResponse {
@JsonProperty("trustedPorts")
public final List<Port> trustedPorts;
+ @JsonProperty("trustedUdpPorts")
+ public final List<Port> trustedUdpPorts;
+
@JsonCreator
public GetAclResponse(@JsonProperty("trustedNodes") List<Node> trustedNodes,
@JsonProperty("trustedNetworks") List<Network> trustedNetworks,
- @JsonProperty("trustedPorts") List<Port> trustedPorts) {
+ @JsonProperty("trustedPorts") List<Port> trustedPorts,
+ @JsonProperty("trustedUdpPorts") List<Port> trustedUdpPorts) {
this.trustedNodes = trustedNodes == null ? List.of() : List.copyOf(trustedNodes);
this.trustedNetworks = trustedNetworks == null ? List.of() : List.copyOf(trustedNetworks);
this.trustedPorts = trustedPorts == null ? List.of() : List.copyOf(trustedPorts);
+ this.trustedUdpPorts = trustedUdpPorts == null ? List.of() : List.copyOf(trustedUdpPorts);
}
@JsonIgnoreProperties(ignoreUnknown = true)