summaryrefslogtreecommitdiffstats
path: root/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
diff options
context:
space:
mode:
Diffstat (limited to 'node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java')
-rw-r--r--node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java115
1 files changed, 55 insertions, 60 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index b047782753b..0b226d5acc7 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -11,34 +11,48 @@ import com.yahoo.vespa.hosted.provision.lb.LoadBalancers;
import java.util.Comparator;
import java.util.LinkedHashSet;
-import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
-import java.util.stream.StreamSupport;
/**
* A node ACL declares which nodes, networks and ports a node should trust.
*
* @author mpolden
*/
-public record NodeAcl(Node node,
- Set<TrustedNode> trustedNodes,
- Set<String> trustedNetworks,
- Set<Integer> trustedPorts) {
-
- private static final Set<Integer> RPC_PORTS = Set.of(19070);
-
- public NodeAcl {
- Objects.requireNonNull(node, "node must be non-null");
- ImmutableSet.copyOf(Objects.requireNonNull(trustedNodes, "trustedNodes must be non-null"));
- ImmutableSet.copyOf(Objects.requireNonNull(trustedNetworks, "trustedNetworks must be non-null"));
- ImmutableSet.copyOf(Objects.requireNonNull(trustedPorts, "trustedPorts must be non-null"));
+public class NodeAcl {
+
+ private final Node node;
+ private final Set<Node> trustedNodes;
+ private final Set<String> trustedNetworks;
+ private final Set<Integer> trustedPorts;
+
+ private NodeAcl(Node node, Set<Node> trustedNodes, Set<String> trustedNetworks, Set<Integer> trustedPorts) {
+ this.node = Objects.requireNonNull(node, "node must be non-null");
+ this.trustedNodes = ImmutableSet.copyOf(Objects.requireNonNull(trustedNodes, "trustedNodes must be non-null"));
+ this.trustedNetworks = ImmutableSet.copyOf(Objects.requireNonNull(trustedNetworks, "trustedNetworks must be non-null"));
+ this.trustedPorts = ImmutableSet.copyOf(Objects.requireNonNull(trustedPorts, "trustedPorts must be non-null"));
+ }
+
+ public Node node() {
+ return node;
+ }
+
+ public Set<Node> trustedNodes() {
+ return trustedNodes;
+ }
+
+ public Set<String> trustedNetworks() {
+ return trustedNetworks;
+ }
+
+ public Set<Integer> trustedPorts() {
+ return trustedPorts;
}
public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalancers) {
- Set<TrustedNode> trustedNodes = new TreeSet<>(Comparator.comparing(TrustedNode::hostname));
+ Set<Node> trustedNodes = new TreeSet<>(Comparator.comparing(Node::hostname));
Set<Integer> trustedPorts = new LinkedHashSet<>();
Set<String> trustedNetworks = new LinkedHashSet<>();
@@ -51,9 +65,9 @@ public record NodeAcl(Node node,
// - nodes in same application
// - load balancers allocated to application
trustedPorts.add(22);
- allNodes.parentOf(node).map(TrustedNode::of).ifPresent(trustedNodes::add);
+ allNodes.parentOf(node).ifPresent(trustedNodes::add);
node.allocation().ifPresent(allocation -> {
- trustedNodes.addAll(TrustedNode.of(allNodes.owner(allocation.owner())));
+ trustedNodes.addAll(allNodes.owner(allocation.owner()).asList());
loadBalancers.list(allocation.owner()).asList()
.stream()
.map(LoadBalancer::instance)
@@ -63,76 +77,57 @@ public record NodeAcl(Node node,
});
switch (node.type()) {
- case tenant -> {
+ case tenant:
// Tenant nodes in other states than ready, trust:
// - config servers
// - proxy nodes
// - parents of the nodes in the same application: If some nodes are on a different IP version
// or only a subset of them are dual-stacked, the communication between the nodes may be NAT-ed
// via parent's IP address
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config)));
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy)));
- node.allocation().ifPresent(allocation -> trustedNodes.addAll(TrustedNode.of(allNodes.parentsOf(allNodes.owner(allocation.owner())))));
+ trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList());
+ trustedNodes.addAll(allNodes.nodeType(NodeType.proxy).asList());
+ node.allocation().ifPresent(allocation ->
+ trustedNodes.addAll(allNodes.parentsOf(allNodes.owner(allocation.owner())).asList()));
+
if (node.state() == Node.State.ready) {
// Tenant nodes in state ready, trust:
// - All tenant nodes in zone. When a ready node is allocated to an application there's a brief
// window where current ACLs have not yet been applied on the node. To avoid service disruption
// during this window, ready tenant nodes trust all other tenant nodes
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant)));
+ trustedNodes.addAll(allNodes.nodeType(NodeType.tenant).asList());
}
- }
- case config -> {
+ break;
+
+ case config:
// Config servers trust:
- // - port 19070 (RPC) from all tenant nodes
- // - port 19070 (RPC) from all proxy nodes
+ // - all nodes
// - port 4443 from the world
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.tenant), RPC_PORTS));
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), RPC_PORTS));
+ trustedNodes.addAll(allNodes.asList());
trustedPorts.add(4443);
- }
- case proxy -> {
+ break;
+
+ case proxy:
// Proxy nodes trust:
// - config servers
// - all connections from the world on 443 (production traffic) and 4443 (health checks)
- trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config)));
+ trustedNodes.addAll(allNodes.nodeType(NodeType.config).asList());
trustedPorts.add(443);
trustedPorts.add(4443);
- }
- case controller -> {
+ break;
+
+ case controller:
// Controllers:
// - port 4443 (HTTPS + Athenz) from the world
// - port 443 (HTTPS + Okta) from the world
trustedPorts.add(4443);
trustedPorts.add(443);
- }
- default -> throw new IllegalArgumentException("Don't know how to create ACL for " + node +
- " of type " + node.type());
- }
- return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts);
- }
-
- public record TrustedNode(String hostname, NodeType type, Set<String> ipAddresses, Set<Integer> ports) {
-
- /** Trust given ports from node */
- public static TrustedNode of(Node node, Set<Integer> ports) {
- return new TrustedNode(node.hostname(), node.type(), node.ipConfig().primary(), ports);
- }
+ break;
- /** Trust all ports from given node */
- public static TrustedNode of(Node node) {
- return of(node, Set.of());
+ default:
+ throw new IllegalArgumentException("Don't know how to create ACL for " + node +
+ " of type " + node.type());
}
-
- public static List<TrustedNode> of(Iterable<Node> nodes, Set<Integer> ports) {
- return StreamSupport.stream(nodes.spliterator(), false)
- .map(node -> TrustedNode.of(node, ports))
- .toList();
- }
-
- public static List<TrustedNode> of(Iterable<Node> nodes) {
- return of(nodes, Set.of());
- }
-
+ return new NodeAcl(node, trustedNodes, trustedNetworks, trustedPorts);
}
}