// This tests that update_quotas and set_quotas/remove_quotas
// cannot be used together.
// TODO(zhitao): Remove this test case at the end of the deprecation
// cycle started with 0.29.
TYPED_TEST(AuthorizationTest, ConflictQuotaACLs) {
{
ACLs acls;
{
// Add an UpdateQuota ACL.
mesos::ACL::UpdateQuota* acl = acls.add_update_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// Add a SetQuota ACL.
mesos::ACL::SetQuota* acl = acls.add_set_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
// Create an `Authorizer` with the ACLs should error out.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_ERROR(create);
}
{
ACLs acls;
{
// Add an UpdateQuota ACL.
mesos::ACL::UpdateQuota* acl = acls.add_update_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// Add a RemoveQuota ACL.
mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY);
}
// Create an `Authorizer` with the ACLs should error out.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_ERROR(create);
}
}
// This tests the authorization of requests to remove quotas.
TYPED_TEST(AuthorizationTest, RemoveQuota)
{
ACLs acls;
// "foo" principal can remove its own quotas.
mesos::ACL::RemoveQuota* acl1 = acls.add_remove_quotas();
acl1->mutable_principals()->add_values("foo");
acl1->mutable_quota_principals()->add_values("foo");
// "bar" principal cannot remove anyone's quotas.
mesos::ACL::RemoveQuota* acl2 = acls.add_remove_quotas();
acl2->mutable_principals()->add_values("bar");
acl2->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE);
// "ops" principal can remove anyone's quotas.
mesos::ACL::RemoveQuota* acl3 = acls.add_remove_quotas();
acl3->mutable_principals()->add_values("ops");
acl3->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY);
// No other principals can remove quotas.
mesos::ACL::RemoveQuota* acl4 = acls.add_remove_quotas();
acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl4->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE);
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create();
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
Try<Nothing> initialized = authorizer.get()->initialize(acls);
ASSERT_SOME(initialized);
// Principal "foo" can remove its own quotas, so request 1 will pass.
mesos::ACL::RemoveQuota request1;
request1.mutable_principals()->add_values("foo");
request1.mutable_quota_principals()->add_values("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1));
// Principal "bar" cannot remove anyone's quotas, so requests 2 and 3 will
// fail.
mesos::ACL::RemoveQuota request2;
request2.mutable_principals()->add_values("bar");
request2.mutable_quota_principals()->add_values("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request2));
mesos::ACL::RemoveQuota request3;
request3.mutable_principals()->add_values("bar");
request3.mutable_quota_principals()->add_values("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3));
// Principal "ops" can remove anyone's quotas, so requests 4 and 5 will pass.
mesos::ACL::RemoveQuota request4;
request4.mutable_principals()->add_values("ops");
request4.mutable_quota_principals()->add_values("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request4));
mesos::ACL::RemoveQuota request5;
request5.mutable_principals()->add_values("ops");
request5.mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY);
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request5));
// Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it
// will be caught by the final rule, which provides a default case that denies
// access for all other principals. This case will fail.
mesos::ACL::RemoveQuota request6;
request6.mutable_principals()->add_values("jeff");
request6.mutable_quota_principals()->add_values("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request6));
}
// This tests the authorization of requests to remove quotas.
// TODO(zhitao): Remove this test case at the end of the deprecation
// cycle started with 0.29.
TYPED_TEST(AuthorizationTest, RemoveQuota)
{
ACLs acls;
{
// "foo" principal can remove its own quotas.
mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_quota_principals()->add_values("foo");
}
{
// "bar" principal cannot remove anyone's quotas.
mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas();
acl->mutable_principals()->add_values("bar");
acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE);
}
{
// "ops" principal can remove anyone's quotas.
mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas();
acl->mutable_principals()->add_values("ops");
acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY);
}
{
// No other principals can remove quotas.
mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas();
acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::NONE);
}
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
// Principal "foo" can remove its own quotas, so request 1 will pass.
{
authorization::Request request;
request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL);
request.mutable_subject()->set_value("foo");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "bar" cannot remove anyone's quotas, so requests 2 and 3 will
// fail.
{
authorization::Request request;
request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
// Principal "ops" can remove anyone's quotas, so requests 4 and 5 will pass.
{
authorization::Request request;
request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it
// will be caught by the final rule, which provides a default case that denies
// access for all other principals. This case will fail.
{
authorization::Request request;
request.set_action(authorization::DESTROY_QUOTA_WITH_PRINCIPAL);
request.mutable_subject()->set_value("jeff");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
}
