// Tests the authorization of ACLs used for dynamic reservation of resources. TYPED_TEST(AuthorizationTest, Reserve) { ACLs acls; // Principals "foo" and "bar" can reserve resources for any role. mesos::ACL::ReserveResources* acl1 = acls.add_reserve_resources(); acl1->mutable_principals()->add_values("foo"); acl1->mutable_principals()->add_values("bar"); acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY); // Principal "baz" can only reserve resources for the "ads" role. mesos::ACL::ReserveResources* acl2 = acls.add_reserve_resources(); acl2->mutable_principals()->add_values("baz"); acl2->mutable_roles()->add_values("ads"); // No other principals can reserve resources. mesos::ACL::ReserveResources* acl3 = acls.add_reserve_resources(); acl3->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl3->mutable_roles()->set_type(mesos::ACL::Entity::NONE); // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); Try<Nothing> initialized = authorizer.get()->initialize(acls); ASSERT_SOME(initialized); // Principals "foo" and "bar" can reserve resources for any role, // so requests 1 and 2 will pass. mesos::ACL::ReserveResources request1; request1.mutable_principals()->add_values("foo"); request1.mutable_principals()->add_values("bar"); request1.mutable_roles()->set_type(mesos::ACL::Entity::ANY); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1)); mesos::ACL::ReserveResources request2; request2.mutable_principals()->add_values("foo"); request2.mutable_principals()->add_values("bar"); request2.mutable_roles()->add_values("awesome_role"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2)); // Principal "baz" can only reserve resources for the "ads" role, so request 3 // will pass, but requests 4 and 5 will fail. mesos::ACL::ReserveResources request3; request3.mutable_principals()->add_values("baz"); request3.mutable_roles()->add_values("ads"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request3)); mesos::ACL::ReserveResources request4; request4.mutable_principals()->add_values("baz"); request4.mutable_roles()->add_values("awesome_role"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4)); mesos::ACL::ReserveResources request5; request5.mutable_principals()->add_values("baz"); request5.mutable_roles()->set_type(mesos::ACL::Entity::ANY); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5)); // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This request will fail. mesos::ACL::ReserveResources request6; request6.mutable_principals()->add_values("zelda"); request6.mutable_roles()->add_values("ads"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request6)); }
// Tests the authorization of ACLs used for dynamic reservation of resources. TYPED_TEST(AuthorizationTest, Reserve) { ACLs acls; { // Principals "foo" and "bar" can reserve resources for any role. mesos::ACL::ReserveResources* acl = acls.add_reserve_resources(); acl->mutable_principals()->add_values("foo"); acl->mutable_principals()->add_values("bar"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // Principal "baz" can only reserve resources for the "ads" role. mesos::ACL::ReserveResources* acl = acls.add_reserve_resources(); acl->mutable_principals()->add_values("baz"); acl->mutable_roles()->add_values("ads"); } { // No other principals can reserve resources. mesos::ACL::ReserveResources* acl = acls.add_reserve_resources(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE); } // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); // Principals "foo" and "bar" can reserve resources for any role, // so requests 1 and 2 will pass. { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("foo"); request.mutable_subject()->set_value("bar"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("foo"); request.mutable_object()->set_value("awesome_role"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("awesome_role"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "baz" can only reserve resources for the "ads" role, so request 3 // will pass, but requests 4 and 5 will fail. { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("baz"); request.mutable_object()->set_value("ads"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("baz"); request.mutable_object()->set_value("awesome_role"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("baz"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This request will fail. { authorization::Request request; request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE); request.mutable_subject()->set_value("zelda"); request.mutable_object()->set_value("ads"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } }