// Tests the authorization of ACLs used for dynamic reservation of resources.
TYPED_TEST(AuthorizationTest, Reserve)
{
ACLs acls;
// Principals "foo" and "bar" can reserve resources for any role.
mesos::ACL::ReserveResources* acl1 = acls.add_reserve_resources();
acl1->mutable_principals()->add_values("foo");
acl1->mutable_principals()->add_values("bar");
acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// Principal "baz" can only reserve resources for the "ads" role.
mesos::ACL::ReserveResources* acl2 = acls.add_reserve_resources();
acl2->mutable_principals()->add_values("baz");
acl2->mutable_roles()->add_values("ads");
// No other principals can reserve resources.
mesos::ACL::ReserveResources* acl3 = acls.add_reserve_resources();
acl3->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl3->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create();
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
Try<Nothing> initialized = authorizer.get()->initialize(acls);
ASSERT_SOME(initialized);
// Principals "foo" and "bar" can reserve resources for any role,
// so requests 1 and 2 will pass.
mesos::ACL::ReserveResources request1;
request1.mutable_principals()->add_values("foo");
request1.mutable_principals()->add_values("bar");
request1.mutable_roles()->set_type(mesos::ACL::Entity::ANY);
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1));
mesos::ACL::ReserveResources request2;
request2.mutable_principals()->add_values("foo");
request2.mutable_principals()->add_values("bar");
request2.mutable_roles()->add_values("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2));
// Principal "baz" can only reserve resources for the "ads" role, so request 3
// will pass, but requests 4 and 5 will fail.
mesos::ACL::ReserveResources request3;
request3.mutable_principals()->add_values("baz");
request3.mutable_roles()->add_values("ads");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request3));
mesos::ACL::ReserveResources request4;
request4.mutable_principals()->add_values("baz");
request4.mutable_roles()->add_values("awesome_role");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4));
mesos::ACL::ReserveResources request5;
request5.mutable_principals()->add_values("baz");
request5.mutable_roles()->set_type(mesos::ACL::Entity::ANY);
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5));
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This request will fail.
mesos::ACL::ReserveResources request6;
request6.mutable_principals()->add_values("zelda");
request6.mutable_roles()->add_values("ads");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request6));
}
// Tests the authorization of ACLs used for dynamic reservation of resources.
TYPED_TEST(AuthorizationTest, Reserve)
{
ACLs acls;
{
// Principals "foo" and "bar" can reserve resources for any role.
mesos::ACL::ReserveResources* acl = acls.add_reserve_resources();
acl->mutable_principals()->add_values("foo");
acl->mutable_principals()->add_values("bar");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// Principal "baz" can only reserve resources for the "ads" role.
mesos::ACL::ReserveResources* acl = acls.add_reserve_resources();
acl->mutable_principals()->add_values("baz");
acl->mutable_roles()->add_values("ads");
}
{
// No other principals can reserve resources.
mesos::ACL::ReserveResources* acl = acls.add_reserve_resources();
acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
}
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
// Principals "foo" and "bar" can reserve resources for any role,
// so requests 1 and 2 will pass.
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("foo");
request.mutable_subject()->set_value("bar");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("foo");
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "baz" can only reserve resources for the "ads" role, so request 3
// will pass, but requests 4 and 5 will fail.
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("baz");
request.mutable_object()->set_value("ads");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("baz");
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("baz");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This request will fail.
{
authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("zelda");
request.mutable_object()->set_value("ads");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
}
