// This test verifies that only authorized principals // can access the '/flags' endpoint. TYPED_TEST(SlaveAuthorizerTest, AuthorizeFlagsEndpoint) { const string endpoint = "flags"; // Setup ACLs so that only the default principal // can access the '/flags' endpoint. ACLs acls; acls.set_permissive(false); mesos::ACL::GetEndpoint* acl = acls.add_get_endpoints(); acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal()); acl->mutable_paths()->add_values("/" + endpoint); // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); StandaloneMasterDetector detector; Try<Owned<cluster::Slave>> agent = this->StartSlave(&detector, authorizer.get()); ASSERT_SOME(agent); Future<Response> response = http::get( agent.get()->pid, endpoint, None(), createBasicAuthHeaders(DEFAULT_CREDENTIAL)); AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response) << response.get().body; response = http::get( agent.get()->pid, endpoint, None(), createBasicAuthHeaders(DEFAULT_CREDENTIAL_2)); AWAIT_EXPECT_RESPONSE_STATUS_EQ(Forbidden().status, response) << response.get().body; }
// This test verifies that access to the '/flags' endpoint can be authorized // without authentication if an authorization rule exists that applies to // anyone. The authorizer will map the absence of a principal to "ANY". TYPED_TEST(SlaveAuthorizerTest, AuthorizeFlagsEndpointWithoutPrincipal) { const string endpoint = "flags"; // Because the authenticators' lifetime is tied to libprocess's lifetime, // it may already be set by other tests. We have to unset it here to disable // HTTP authentication. // TODO(nfnt): Fix this behavior. The authenticator should be unset by // every test case that sets it, similar to how it's done for the master. http::authentication::unsetAuthenticator( slave::DEFAULT_HTTP_AUTHENTICATION_REALM); // Setup ACLs so that any principal can access the '/flags' endpoint. ACLs acls; acls.set_permissive(false); mesos::ACL::GetEndpoint* acl = acls.add_get_endpoints(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_paths()->add_values("/" + endpoint); slave::Flags agentFlags = this->CreateSlaveFlags(); agentFlags.acls = acls; agentFlags.authenticate_http = false; agentFlags.http_credentials = None(); // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); StandaloneMasterDetector detector; Try<Owned<cluster::Slave>> agent = this->StartSlave( &detector, authorizer.get(), agentFlags); ASSERT_SOME(agent); Future<Response> response = http::get(agent.get()->pid, endpoint); AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response) << response.get().body; }