// Tests the authorization of ACLs used for the creation of persistent volumes.
TYPED_TEST(AuthorizationTest, CreateVolume)
{
ACLs acls;
// Principal "foo" can create volumes for any role.
mesos::ACL::CreateVolume* acl1 = acls.add_create_volumes();
acl1->mutable_principals()->add_values("foo");
acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// Principal "bar" can only create volumes for the "panda" role.
mesos::ACL::CreateVolume* acl2 = acls.add_create_volumes();
acl2->mutable_principals()->add_values("bar");
acl2->mutable_roles()->add_values("panda");
// Principal "baz" cannot create volumes.
mesos::ACL::CreateVolume* acl3 = acls.add_create_volumes();
acl3->mutable_principals()->add_values("baz");
acl3->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// No other principals can create volumes.
mesos::ACL::CreateVolume* acl4 = acls.add_create_volumes();
acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl4->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// Create an Authorizer with the ACLs.
Try<Authorizer*> create = TypeParam::create();
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
Try<Nothing> initialized = authorizer.get()->initialize(acls);
ASSERT_SOME(initialized);
// Principal "foo" can create volumes for any role, so this request will pass.
mesos::ACL::CreateVolume request1;
request1.mutable_principals()->add_values("foo");
request1.mutable_roles()->add_values("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1));
// Principal "bar" can create volumes for the "panda" role,
// so this request will pass.
mesos::ACL::CreateVolume request2;
request2.mutable_principals()->add_values("bar");
request2.mutable_roles()->add_values("panda");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2));
// Principal "bar" cannot create volumes for the "giraffe" role,
// so this request will fail.
mesos::ACL::CreateVolume request3;
request3.mutable_principals()->add_values("bar");
request3.mutable_roles()->add_values("giraffe");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3));
// Principal "baz" cannot create volumes for any role,
// so this request will fail.
mesos::ACL::CreateVolume request4;
request4.mutable_principals()->add_values("baz");
request4.mutable_roles()->add_values("panda");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4));
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This request will fail.
mesos::ACL::CreateVolume request5;
request5.mutable_principals()->add_values("zelda");
request5.mutable_roles()->add_values("panda");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5));
}
// Tests the authorization of ACLs used for the creation of persistent volumes.
TYPED_TEST(AuthorizationTest, CreateVolume)
{
ACLs acls;
{
// Principal "foo" can create volumes for any role.
mesos::ACL::CreateVolume* acl = acls.add_create_volumes();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// Principal "bar" can only create volumes for the "panda" role.
mesos::ACL::CreateVolume* acl = acls.add_create_volumes();
acl->mutable_principals()->add_values("bar");
acl->mutable_roles()->add_values("panda");
}
{
// Principal "baz" cannot create volumes.
mesos::ACL::CreateVolume* acl = acls.add_create_volumes();
acl->mutable_principals()->add_values("baz");
acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
}
{
// No other principals can create volumes.
mesos::ACL::CreateVolume* acl = acls.add_create_volumes();
acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
}
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
// Principal "foo" can create volumes for any role, so this request will pass.
{
authorization::Request request;
request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
request.mutable_subject()->set_value("foo");
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "bar" can create volumes for the "panda" role,
// so this request will pass.
{
authorization::Request request;
request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("panda");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "bar" cannot create volumes for the "giraffe" role,
// so this request will fail.
{
authorization::Request request;
request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("giraffe");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
// Principal "baz" cannot create volumes for any role,
// so this request will fail.
{
authorization::Request request;
request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
request.mutable_subject()->set_value("baz");
request.mutable_object()->set_value("panda");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This request will fail.
{
authorization::Request request;
request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
request.mutable_subject()->set_value("zelda");
request.mutable_object()->set_value("panda");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
}
