// Tests the authorization of ACLs used for the creation of persistent volumes. TYPED_TEST(AuthorizationTest, CreateVolume) { ACLs acls; // Principal "foo" can create volumes for any role. mesos::ACL::CreateVolume* acl1 = acls.add_create_volumes(); acl1->mutable_principals()->add_values("foo"); acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY); // Principal "bar" can only create volumes for the "panda" role. mesos::ACL::CreateVolume* acl2 = acls.add_create_volumes(); acl2->mutable_principals()->add_values("bar"); acl2->mutable_roles()->add_values("panda"); // Principal "baz" cannot create volumes. mesos::ACL::CreateVolume* acl3 = acls.add_create_volumes(); acl3->mutable_principals()->add_values("baz"); acl3->mutable_roles()->set_type(mesos::ACL::Entity::NONE); // No other principals can create volumes. mesos::ACL::CreateVolume* acl4 = acls.add_create_volumes(); acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl4->mutable_roles()->set_type(mesos::ACL::Entity::NONE); // Create an Authorizer with the ACLs. Try<Authorizer*> create = TypeParam::create(); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); Try<Nothing> initialized = authorizer.get()->initialize(acls); ASSERT_SOME(initialized); // Principal "foo" can create volumes for any role, so this request will pass. mesos::ACL::CreateVolume request1; request1.mutable_principals()->add_values("foo"); request1.mutable_roles()->add_values("awesome_role"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1)); // Principal "bar" can create volumes for the "panda" role, // so this request will pass. mesos::ACL::CreateVolume request2; request2.mutable_principals()->add_values("bar"); request2.mutable_roles()->add_values("panda"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2)); // Principal "bar" cannot create volumes for the "giraffe" role, // so this request will fail. mesos::ACL::CreateVolume request3; request3.mutable_principals()->add_values("bar"); request3.mutable_roles()->add_values("giraffe"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3)); // Principal "baz" cannot create volumes for any role, // so this request will fail. mesos::ACL::CreateVolume request4; request4.mutable_principals()->add_values("baz"); request4.mutable_roles()->add_values("panda"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4)); // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This request will fail. mesos::ACL::CreateVolume request5; request5.mutable_principals()->add_values("zelda"); request5.mutable_roles()->add_values("panda"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5)); }
// Tests the authorization of ACLs used for the creation of persistent volumes. TYPED_TEST(AuthorizationTest, CreateVolume) { ACLs acls; { // Principal "foo" can create volumes for any role. mesos::ACL::CreateVolume* acl = acls.add_create_volumes(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // Principal "bar" can only create volumes for the "panda" role. mesos::ACL::CreateVolume* acl = acls.add_create_volumes(); acl->mutable_principals()->add_values("bar"); acl->mutable_roles()->add_values("panda"); } { // Principal "baz" cannot create volumes. mesos::ACL::CreateVolume* acl = acls.add_create_volumes(); acl->mutable_principals()->add_values("baz"); acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE); } { // No other principals can create volumes. mesos::ACL::CreateVolume* acl = acls.add_create_volumes(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE); } // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); // Principal "foo" can create volumes for any role, so this request will pass. { authorization::Request request; request.set_action(authorization::CREATE_VOLUME_WITH_ROLE); request.mutable_subject()->set_value("foo"); request.mutable_object()->set_value("awesome_role"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "bar" can create volumes for the "panda" role, // so this request will pass. { authorization::Request request; request.set_action(authorization::CREATE_VOLUME_WITH_ROLE); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("panda"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "bar" cannot create volumes for the "giraffe" role, // so this request will fail. { authorization::Request request; request.set_action(authorization::CREATE_VOLUME_WITH_ROLE); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("giraffe"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } // Principal "baz" cannot create volumes for any role, // so this request will fail. { authorization::Request request; request.set_action(authorization::CREATE_VOLUME_WITH_ROLE); request.mutable_subject()->set_value("baz"); request.mutable_object()->set_value("panda"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This request will fail. { authorization::Request request; request.set_action(authorization::CREATE_VOLUME_WITH_ROLE); request.mutable_subject()->set_value("zelda"); request.mutable_object()->set_value("panda"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } }