From db30b6bbb4cbf946036bdcb6685379b7345c1450 Mon Sep 17 00:00:00 2001
From: Tor Brede Vekterli <vekterli@yahooinc.com>
Date: Tue, 23 Aug 2022 11:22:15 +0000
Subject: Add capability filter to cluster controller API RPCs on content nodes

---
 .../rpc/cluster_controller_api_rpc_service.cpp          | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'storage')

diff --git a/storage/src/vespa/storage/storageserver/rpc/cluster_controller_api_rpc_service.cpp b/storage/src/vespa/storage/storageserver/rpc/cluster_controller_api_rpc_service.cpp
index be0239c1370..bb69c0a8641 100644
--- a/storage/src/vespa/storage/storageserver/rpc/cluster_controller_api_rpc_service.cpp
+++ b/storage/src/vespa/storage/storageserver/rpc/cluster_controller_api_rpc_service.cpp
@@ -7,6 +7,7 @@
 #include <vespa/storage/storageserver/rpcrequestwrapper.h>
 #include <vespa/vdslib/state/clusterstate.h>
 #include <vespa/fnet/frt/supervisor.h>
+#include <vespa/fnet/frt/require_capabilities.h>
 #include <vespa/fnet/frt/rpcrequest.h>
 #include <vespa/storageapi/message/state.h>
 #include <vespa/vespalib/util/host_name.h>
@@ -32,10 +33,21 @@ void ClusterControllerApiRpcService::close() {
     _closed.store(true);
 }
 
+namespace {
+
+std::unique_ptr<FRT_RequireCapabilities> make_cc_api_capability_filter() {
+    return std::make_unique<FRT_RequireCapabilities>(vespalib::net::tls::CapabilitySet::of({
+        vespalib::net::tls::Capability::content_cluster_controller_internal_state_api()
+    }));
+}
+
+}
+
 void ClusterControllerApiRpcService::register_server_methods(SharedRpcResources& rpc_resources) {
     FRT_ReflectionBuilder rb(&rpc_resources.supervisor());
 
     rb.DefineMethod("getnodestate3", "sii", "ss", FRT_METHOD(ClusterControllerApiRpcService::RPC_getNodeState2), this);
+    rb.RequestAccessFilter(make_cc_api_capability_filter());
     rb.MethodDesc("Get state of this node");
     rb.ParamDesc("nodestate", "Expected state of given node. If correct, the "
                               "request will be queued on target until it changes. To not give "
@@ -45,6 +57,7 @@ void ClusterControllerApiRpcService::register_server_methods(SharedRpcResources&
     rb.ReturnDesc("hostinfo", "Information about host this node is running on");
     //-------------------------------------------------------------------------
     rb.DefineMethod("getnodestate2", "si", "s", FRT_METHOD(ClusterControllerApiRpcService::RPC_getNodeState2), this);
+    rb.RequestAccessFilter(make_cc_api_capability_filter());
     rb.MethodDesc("Get state of this node");
     rb.ParamDesc("nodestate", "Expected state of given node. If correct, the "
                               "request will be queued on target until it changes. To not give "
@@ -53,21 +66,25 @@ void ClusterControllerApiRpcService::register_server_methods(SharedRpcResources&
     rb.ReturnDesc("nodestate", "State string for this node");
     //-------------------------------------------------------------------------
     rb.DefineMethod("setsystemstate2", "s", "", FRT_METHOD(ClusterControllerApiRpcService::RPC_setSystemState2), this);
+    rb.RequestAccessFilter(make_cc_api_capability_filter());
     rb.MethodDesc("Set systemstate on this node");
     rb.ParamDesc("systemstate", "New systemstate to set");
     //-------------------------------------------------------------------------
     rb.DefineMethod("setdistributionstates", "bix", "", FRT_METHOD(ClusterControllerApiRpcService::RPC_setDistributionStates), this);
+    rb.RequestAccessFilter(make_cc_api_capability_filter());
     rb.MethodDesc("Set distribution states for cluster and bucket spaces");
     rb.ParamDesc("compressionType", "Compression type for payload");
     rb.ParamDesc("uncompressedSize", "Uncompressed size for payload");
     rb.ParamDesc("payload", "Binary Slime format payload");
     //-------------------------------------------------------------------------
     rb.DefineMethod("activate_cluster_state_version", "i", "i", FRT_METHOD(ClusterControllerApiRpcService::RPC_activateClusterStateVersion), this);
+    rb.RequestAccessFilter(make_cc_api_capability_filter());
     rb.MethodDesc("Explicitly activates an already prepared cluster state version");
     rb.ParamDesc("activate_version", "Expected cluster state version to activate");
     rb.ReturnDesc("actual_version", "Cluster state version that was prepared on the node prior to receiving RPC");
     //-------------------------------------------------------------------------
     rb.DefineMethod("getcurrenttime", "", "lis", FRT_METHOD(ClusterControllerApiRpcService::RPC_getCurrentTime), this);
+    rb.RequestAccessFilter(make_cc_api_capability_filter());
     rb.MethodDesc("Get current time on this node");
     rb.ReturnDesc("seconds", "Current time in seconds since epoch");
     rb.ReturnDesc("nanoseconds", "additional nanoseconds since epoch");
-- 
cgit v1.2.3