// This tests that update_quotas and set_quotas/remove_quotas // cannot be used together. // TODO(zhitao): Remove this test case at the end of the deprecation // cycle started with 0.29. TYPED_TEST(AuthorizationTest, ConflictQuotaACLs) { { ACLs acls; { // Add an UpdateQuota ACL. mesos::ACL::UpdateQuota* acl = acls.add_update_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // Add a SetQuota ACL. mesos::ACL::SetQuota* acl = acls.add_set_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } // Create an `Authorizer` with the ACLs should error out. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_ERROR(create); } { ACLs acls; { // Add an UpdateQuota ACL. mesos::ACL::UpdateQuota* acl = acls.add_update_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // Add a RemoveQuota ACL. mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY); } // Create an `Authorizer` with the ACLs should error out. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_ERROR(create); } }
// This tests the authorization of requests to remove quotas. TYPED_TEST(AuthorizationTest, RemoveQuota) { ACLs acls; // "foo" principal can remove its own quotas. mesos::ACL::RemoveQuota* acl1 = acls.add_remove_quotas(); acl1->mutable_principals()->add_values("foo"); acl1->mutable_quota_principals()->add_values("foo"); // "bar" principal cannot remove anyone's quotas. mesos::ACL::RemoveQuota* acl2 = acls.add_remove_quotas(); acl2->mutable_principals()->add_values("bar"); acl2->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE); // "ops" principal can remove anyone's quotas. mesos::ACL::RemoveQuota* acl3 = acls.add_remove_quotas(); acl3->mutable_principals()->add_values("ops"); acl3->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY); // No other principals can remove quotas. mesos::ACL::RemoveQuota* acl4 = acls.add_remove_quotas(); acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl4->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE); // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); Try<Nothing> initialized = authorizer.get()->initialize(acls); ASSERT_SOME(initialized); // Principal "foo" can remove its own quotas, so request 1 will pass. mesos::ACL::RemoveQuota request1; request1.mutable_principals()->add_values("foo"); request1.mutable_quota_principals()->add_values("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1)); // Principal "bar" cannot remove anyone's quotas, so requests 2 and 3 will // fail. mesos::ACL::RemoveQuota request2; request2.mutable_principals()->add_values("bar"); request2.mutable_quota_principals()->add_values("bar"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request2)); mesos::ACL::RemoveQuota request3; request3.mutable_principals()->add_values("bar"); request3.mutable_quota_principals()->add_values("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3)); // Principal "ops" can remove anyone's quotas, so requests 4 and 5 will pass. mesos::ACL::RemoveQuota request4; request4.mutable_principals()->add_values("ops"); request4.mutable_quota_principals()->add_values("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request4)); mesos::ACL::RemoveQuota request5; request5.mutable_principals()->add_values("ops"); request5.mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request5)); // Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it // will be caught by the final rule, which provides a default case that denies // access for all other principals. This case will fail. mesos::ACL::RemoveQuota request6; request6.mutable_principals()->add_values("jeff"); request6.mutable_quota_principals()->add_values("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request6)); }
// This tests the authorization of requests to remove quotas. // TODO(zhitao): Remove this test case at the end of the deprecation // cycle started with 0.29. TYPED_TEST(AuthorizationTest, RemoveQuota) { ACLs acls; { // "foo" principal can remove its own quotas. mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_quota_principals()->add_values("foo"); } { // "bar" principal cannot remove anyone's quotas. mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas(); acl->mutable_principals()->add_values("bar"); acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE); } { // "ops" principal can remove anyone's quotas. mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas(); acl->mutable_principals()->add_values("ops"); acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY); } { // No other principals can remove quotas. mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE); } // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); // Principal "foo" can remove its own quotas, so request 1 will pass. { authorization::Request request; request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL); request.mutable_subject()->set_value("foo"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "bar" cannot remove anyone's quotas, so requests 2 and 3 will // fail. { authorization::Request request; request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("bar"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } // Principal "ops" can remove anyone's quotas, so requests 4 and 5 will pass. { authorization::Request request; request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL); request.mutable_subject()->set_value("ops"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL); request.mutable_subject()->set_value("ops"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it // will be caught by the final rule, which provides a default case that denies // access for all other principals. This case will fail. { authorization::Request request; request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL); request.mutable_subject()->set_value("jeff"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } }