// This tests the authorization of ACLs used for unreserve
// operations on dynamically reserved resources.
TYPED_TEST(AuthorizationTest, Unreserve)
{
ACLs acls;
// "foo" principal can unreserve its own resources.
mesos::ACL::UnreserveResources* acl1 = acls.add_unreserve_resources();
acl1->mutable_principals()->add_values("foo");
acl1->mutable_reserver_principals()->add_values("foo");
// "bar" principal cannot unreserve anyone's resources.
mesos::ACL::UnreserveResources* acl2 = acls.add_unreserve_resources();
acl2->mutable_principals()->add_values("bar");
acl2->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE);
// "ops" principal can unreserve anyone's resources.
mesos::ACL::UnreserveResources* acl3 = acls.add_unreserve_resources();
acl3->mutable_principals()->add_values("ops");
acl3->mutable_reserver_principals()->set_type(mesos::ACL::Entity::ANY);
// No other principals can unreserve resources.
mesos::ACL::UnreserveResources* acl4 = acls.add_unreserve_resources();
acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl4->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE);
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create();
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
Try<Nothing> initialized = authorizer.get()->initialize(acls);
ASSERT_SOME(initialized);
// Principal "foo" can unreserve its own resources.
mesos::ACL::UnreserveResources request1;
request1.mutable_principals()->add_values("foo");
request1.mutable_reserver_principals()->add_values("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1));
// Principal "bar" cannot unreserve anyone's
// resources, so requests 2 and 3 will fail.
mesos::ACL::UnreserveResources request2;
request2.mutable_principals()->add_values("bar");
request2.mutable_reserver_principals()->add_values("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request2));
mesos::ACL::UnreserveResources request3;
request3.mutable_principals()->add_values("bar");
request3.mutable_reserver_principals()->add_values("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3));
// Principal "ops" can unreserve anyone's resources,
// so requests 4 and 5 will succeed.
mesos::ACL::UnreserveResources request4;
request4.mutable_principals()->add_values("ops");
request4.mutable_reserver_principals()->add_values("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request4));
mesos::ACL::UnreserveResources request5;
request5.mutable_principals()->add_values("ops");
request5.mutable_reserver_principals()->add_values("foo");
request5.mutable_reserver_principals()->add_values("bar");
request5.mutable_reserver_principals()->add_values("ops");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request5));
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This case will fail.
mesos::ACL::UnreserveResources request6;
request6.mutable_principals()->add_values("zelda");
request6.mutable_reserver_principals()->add_values("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request6));
}
// This tests the authorization of ACLs used for unreserve
// operations on dynamically reserved resources.
TYPED_TEST(AuthorizationTest, Unreserve)
{
ACLs acls;
{
// "foo" principal can unreserve its own resources.
mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources();
acl->mutable_principals()->add_values("foo");
acl->mutable_reserver_principals()->add_values("foo");
}
{
// "bar" principal cannot unreserve anyone's resources.
mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources();
acl->mutable_principals()->add_values("bar");
acl->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE);
}
{
// "ops" principal can unreserve anyone's resources.
mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources();
acl->mutable_principals()->add_values("ops");
acl->mutable_reserver_principals()->set_type(mesos::ACL::Entity::ANY);
}
{
// No other principals can unreserve resources.
mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources();
acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE);
}
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
// Principal "foo" can unreserve its own resources.
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("foo");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "bar" cannot unreserve anyone's
// resources, so requests 2 and 3 will fail.
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
// Principal "ops" can unreserve anyone's resources,
// so requests 4 and 5 will succeed.
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("ops");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This case will fail.
{
authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("zelda");
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
}
