diff options
Diffstat (limited to 'node-admin/src/main/java/com/yahoo')
5 files changed, 48 insertions, 48 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index e721ac3fc20..dd78e08aaa6 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -2,9 +2,11 @@ package com.yahoo.vespa.hosted.node.admin.configserver.noderepository; import com.google.common.net.InetAddresses; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; import java.net.InetAddress; +import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.LinkedList; @@ -43,7 +45,7 @@ public class Acl { this(trustedPorts, trustedNodes, Set.of()); } - public List<String> toRules(IPVersion ipVersion) { + public List<String> toRules(IPVersion ipVersion, NodeType nodeType) { List<String> rules = new LinkedList<>(); // We reject with rules instead of using policies @@ -62,8 +64,24 @@ public class Acl { // Allow trusted ports if any if (!trustedPorts.isEmpty()) { - String ports = trustedPorts.stream().map(i -> Integer.toString(i)).sorted().collect(Collectors.joining(",")); - rules.add("-A INPUT -p tcp -m multiport --dports " + ports + " -j ACCEPT"); + rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(trustedPorts) + " -j ACCEPT"); + } + + // Trust ZooKeeper from other config servers/controllers only + if (nodeType.isConfigServerLike()) { + Set<Integer> zooKeeperPorts = Set.of(2181, 2182, 2183); + List<String> clusterAddresses = getTrustedNodes(ipVersion).stream() + .filter(node -> node.type() == nodeType) + .map(Node::inetAddressString) + .sorted() + .toList(); + for (var ipAddress : clusterAddresses) { + rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + " -s " + + ipAddress + ipVersion.singleHostCidr() + " -j ACCEPT"); + } + // Reject any other connections to ZooKeeper + rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + + " -j REJECT --reject-with " + ipVersion.icmpPortUnreachable()); } // Allow traffic from trusted nodes @@ -84,6 +102,10 @@ public class Acl { return Collections.unmodifiableList(rules); } + private static String joinPorts(Collection<Integer> ports) { + return ports.stream().map(String::valueOf).sorted().collect(Collectors.joining(",")); + } + public Set<Node> getTrustedNodes() { return trustedNodes; } @@ -136,25 +158,10 @@ public class Acl { return Optional.ofNullable(set).map(Set::copyOf).orElseGet(Set::of); } - public static class Node { - private final String hostname; - private final InetAddress inetAddress; - - public Node(String hostname, String ipAddress) { - this(hostname, InetAddresses.forString(ipAddress)); - } - - public Node(String hostname, InetAddress inetAddress) { - this.hostname = hostname; - this.inetAddress = inetAddress; - } - - public String hostname() { - return hostname; - } + public record Node(String hostname, NodeType type, InetAddress inetAddress) { - public InetAddress inetAddress() { - return inetAddress; + public Node(String hostname, NodeType type, String ipAddress) { + this(hostname, type, InetAddresses.forString(ipAddress)); } public String inetAddressString() { @@ -162,25 +169,12 @@ public class Acl { } @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - Node node = (Node) o; - return Objects.equals(hostname, node.hostname) && - Objects.equals(inetAddress, node.inetAddress); - } - - @Override - public int hashCode() { - return Objects.hash(hostname, inetAddress); - } - - @Override public String toString() { return "Node{" + - "hostname='" + hostname + '\'' + - ", inetAddress=" + inetAddress + - '}'; + "hostname='" + hostname + '\'' + + ", inetAddress=" + inetAddress + + ", nodeType=" + type + + '}'; } } @@ -203,12 +197,12 @@ public class Acl { return this; } - public Builder withTrustedNode(String hostname, String ipAddress) { - return withTrustedNode(new Node(hostname, ipAddress)); + public Builder withTrustedNode(String hostname, String ipAddress, NodeType nodeType) { + return withTrustedNode(new Node(hostname, nodeType, ipAddress)); } - public Builder withTrustedNode(String hostname, InetAddress inetAddress) { - return withTrustedNode(new Node(hostname, inetAddress)); + public Builder withTrustedNode(String hostname, InetAddress inetAddress, NodeType nodeType) { + return withTrustedNode(new Node(hostname, nodeType, inetAddress)); } public Builder withTrustedPorts(Integer... ports) { diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java index a524243e2fb..51111a66d10 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java @@ -98,7 +98,7 @@ public class RealNodeRepository implements NodeRepository { .collect(Collectors.groupingBy( GetAclResponse.Node::getTrustedBy, Collectors.mapping( - node -> new Acl.Node(node.hostname, node.ipAddress), + node -> new Acl.Node(node.hostname, NodeType.valueOf(node.nodeType), node.ipAddress), Collectors.toSet()))); // Group trusted networks by container hostname that trusts them diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java index f228743a33f..9afee6f7463 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java @@ -39,6 +39,9 @@ public class GetAclResponse { @JsonProperty("hostname") public final String hostname; + @JsonProperty("type") + public final String nodeType; + @JsonProperty("ipAddress") public final String ipAddress; @@ -46,9 +49,11 @@ public class GetAclResponse { public final String trustedBy; @JsonCreator - public Node(@JsonProperty("hostname") String hostname, @JsonProperty("ipAddress") String ipAddress, + public Node(@JsonProperty("hostname") String hostname, @JsonProperty("type") String nodeType, + @JsonProperty("ipAddress") String ipAddress, @JsonProperty("trustedBy") String trustedBy) { this.hostname = hostname; + this.nodeType = nodeType; this.ipAddress = ipAddress; this.trustedBy = trustedBy; } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java index cb2134b36af..435dc9cae85 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java @@ -55,8 +55,8 @@ public class AclMaintainer { if (context.isDisabled(NodeAgentTask.AclMaintainer)) return; // Apply acl to the filter table - editFlushOnError(context, IPVersion.IPv4, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv4)); - editFlushOnError(context, IPVersion.IPv6, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv6)); + editFlushOnError(context, IPVersion.IPv4, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv4, context.nodeType())); + editFlushOnError(context, IPVersion.IPv6, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv6, context.nodeType())); ipAddresses.getAddress(context.hostname().value(), IPVersion.IPv4).ifPresent(addr -> applyRedirect(context, addr)); ipAddresses.getAddress(context.hostname().value(), IPVersion.IPv6).ifPresent(addr -> applyRedirect(context, addr)); diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java index 462790b8d0f..82dc388568b 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.maintenance.acl; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEdit; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEditor; @@ -22,8 +23,8 @@ class FilterTableLineEditor implements LineEditor { this.wantedRules = List.copyOf(wantedRules); } - static FilterTableLineEditor from(Acl acl, IPVersion ipVersion) { - List<String> rules = acl.toRules(ipVersion); + static FilterTableLineEditor from(Acl acl, IPVersion ipVersion, NodeType nodeType) { + List<String> rules = acl.toRules(ipVersion, nodeType); return new FilterTableLineEditor(rules); } |