diff options
Diffstat (limited to 'node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java')
-rw-r--r-- | node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java | 115 |
1 files changed, 55 insertions, 60 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java index b047782753b..0b226d5acc7 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java @@ -11,34 +11,48 @@ import com.yahoo.vespa.hosted.provision.lb.LoadBalancers; import java.util.Comparator; import java.util.LinkedHashSet; -import java.util.List; import java.util.Objects; import java.util.Optional; import java.util.Set; import java.util.TreeSet; -import java.util.stream.StreamSupport; /** * A node ACL declares which nodes, networks and ports a node should trust. * * @author mpolden */ -public record NodeAcl(Node node, - Set<TrustedNode> trustedNodes, - Set<String> trustedNetworks, - Set<Integer> trustedPorts) { - - private static final Set<Integer> RPC_PORTS = Set.of(19070); - - public NodeAcl { - Objects.requireNonNull(node, "node must be non-null"); - ImmutableSet.copyOf(Objects.requireNonNull(trustedNodes, "trustedNodes must be non-null")); - ImmutableSet.copyOf(Objects.requireNonNull(trustedNetworks, "trustedNetworks must be non-null")); - ImmutableSet.copyOf(Objects.requireNonNull(trustedPorts, "trustedPorts must be non-null")); +public class NodeAcl { + + private final Node node; + private final Set<Node> trustedNodes; + private final Set<String> trustedNetworks; + private final Set<Integer> trustedPorts; + + private NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks, Set<Integer> trustedPorts) { + this.node = Objects.requireNonNull(node, "node must be non-null"); + this.trustedNodes = ImmutableSet.copyOf(Objects.requireNonNull(trustedNodes, "trustedNodes must be non-null")); + this.trustedNetworks = ImmutableSet.copyOf(Objects.requireNonNull(trustedNetworks, "trustedNetworks must be non-null")); + this.trustedPorts = ImmutableSet.copyOf(Objects.requireNonNull(trustedPorts, "trustedPorts must be non-null")); + } + + public Node node() { + return node; + } + + public Set<Node> trustedNodes() { + return trustedNodes; + } + + public Set<String> trustedNetworks() { + return trustedNetworks; + } + + public Set<Integer> trustedPorts() { + return trustedPorts; } public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers) { - Set<TrustedNode> trustedNodes = new TreeSet<>(Comparator.comparing(TrustedNode::hostname)); + Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname)); Set<Integer> trustedPorts = new LinkedHashSet<>(); Set<String> trustedNetworks = new LinkedHashSet<>(); @@ -51,9 +65,9 @@ public record NodeAcl(Node node, // - nodes in same application // - load balancers allocated to application trustedPorts.add(22); - allNodes.parentOf(node).map(TrustedNode::of).ifPresent(trustedNodes::add); + allNodes.parentOf(node).ifPresent(trustedNodes::add); node.allocation().ifPresent(allocation -> { - trustedNodes.addAll(TrustedNode.of(allNodes.owner(allocation.owner()))); + trustedNodes.addAll(allNodes.owner(allocation.owner()).asList()); loadBalancers.list(allocation.owner()).asList() .stream() .map(LoadBalancer::instance) @@ -63,76 +77,57 @@ public record NodeAcl(Node node, }); switch (node.type()) { - case tenant -> { + case tenant: // Tenant nodes in other states than ready, trust: // - config servers // - proxy nodes // - parents of the nodes in the same application: If some nodes are on a different IP version // or only a subset of them are dual-stacked, the communication between the nodes may be NAT-ed // via parent's IP address - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config))); - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy))); - node.allocation().ifPresent(allocation -> trustedNodes.addAll(TrustedNode.of(allNodes.parentsOf(allNodes.owner(allocation.owner()))))); + trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList()); + trustedNodes.addAll(allNodes.nodeType(NodeType.proxy).asList()); + node.allocation().ifPresent(allocation -> + trustedNodes.addAll(allNodes.parentsOf(allNodes.owner(allocation.owner())).asList())); + if (node.state() == Node.State.ready) { // Tenant nodes in state ready, trust: // - All tenant nodes in zone. When a ready node is allocated to an application there's a brief // window where current ACLs have not yet been applied on the node. To avoid service disruption // during this window, ready tenant nodes trust all other tenant nodes - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant))); + trustedNodes.addAll(allNodes.nodeType(NodeType.tenant).asList()); } - } - case config -> { + break; + + case config: // Config servers trust: - // - port 19070 (RPC) from all tenant nodes - // - port 19070 (RPC) from all proxy nodes + // - all nodes // - port 4443 from the world - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant), RPC_PORTS)); - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), RPC_PORTS)); + trustedNodes.addAll(allNodes.asList()); trustedPorts.add(4443); - } - case proxy -> { + break; + + case proxy: // Proxy nodes trust: // - config servers // - all connections from the world on 443 (production traffic) and 4443 (health checks) - trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config))); + trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList()); trustedPorts.add(443); trustedPorts.add(4443); - } - case controller -> { + break; + + case controller: // Controllers: // - port 4443 (HTTPS + Athenz) from the world // - port 443 (HTTPS + Okta) from the world trustedPorts.add(4443); trustedPorts.add(443); - } - default -> throw new IllegalArgumentException("Don't know how to create ACL for " + node + - " of type " + node.type()); - } - return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts); - } - - public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses, Set<Integer> ports) { - - /** Trust given ports from node */ - public static TrustedNode of(Node node, Set<Integer> ports) { - return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary(), ports); - } + break; - /** Trust all ports from given node */ - public static TrustedNode of(Node node) { - return of(node, Set.of()); + default: + throw new IllegalArgumentException("Don't know how to create ACL for " + node + + " of type " + node.type()); } - - public static List<TrustedNode> of(Iterable<Node> nodes, Set<Integer> ports) { - return StreamSupport.stream(nodes.spliterator(), false) - .map(node -> TrustedNode.of(node, ports)) - .toList(); - } - - public static List<TrustedNode> of(Iterable<Node> nodes) { - return of(nodes, Set.of()); - } - + return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts); } } |