// This tests that update_quotas and set_quotas/remove_quotas
// cannot be used together.
// TODO(zhitao): Remove this test case at the end of the deprecation
// cycle started with 0.29.
TYPED_TEST(AuthorizationTest, ConflictQuotaACLs) {
{
ACLs acls;
{
// Add an UpdateQuota ACL.
mesos::ACL::UpdateQuota* acl = acls.add_update_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// Add a SetQuota ACL.
mesos::ACL::SetQuota* acl = acls.add_set_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
// Create an `Authorizer` with the ACLs should error out.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_ERROR(create);
}
{
ACLs acls;
{
// Add an UpdateQuota ACL.
mesos::ACL::UpdateQuota* acl = acls.add_update_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// Add a RemoveQuota ACL.
mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY);
}
// Create an `Authorizer` with the ACLs should error out.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_ERROR(create);
}
}
// This tests the authorization of requests to set quotas.
TYPED_TEST(AuthorizationTest, SetQuota)
{
ACLs acls;
// "foo" principal can set quotas for all roles.
mesos::ACL::SetQuota* acl1 = acls.add_set_quotas();
acl1->mutable_principals()->add_values("foo");
acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// "bar" principal can set quotas for "dev" role.
mesos::ACL::SetQuota* acl2 = acls.add_set_quotas();
acl2->mutable_principals()->add_values("bar");
acl2->mutable_roles()->add_values("dev");
// Anyone can set quotas for "test" role.
mesos::ACL::SetQuota* acl3 = acls.add_set_quotas();
acl3->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl3->mutable_roles()->add_values("test");
// No other principal can set quotas.
mesos::ACL::SetQuota* acl4 = acls.add_set_quotas();
acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl4->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create();
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
Try<Nothing> initialized = authorizer.get()->initialize(acls);
ASSERT_SOME(initialized);
// Principal "foo" can set quota for all roles, so requests 1 and 2 will pass.
mesos::ACL::SetQuota request1;
request1.mutable_principals()->add_values("foo");
request1.mutable_roles()->set_type(mesos::ACL::Entity::ANY);
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1));
mesos::ACL::SetQuota request2;
request2.mutable_principals()->add_values("foo");
request2.mutable_roles()->add_values("prod");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2));
// Principal "bar" can set quotas for role "dev", so this will pass.
mesos::ACL::SetQuota request3;
request3.mutable_principals()->add_values("bar");
request3.mutable_roles()->add_values("dev");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request3));
// Principal "bar" can only set quotas for role "dev",
// so request 4 and 5 will fail.
mesos::ACL::SetQuota request4;
request4.mutable_principals()->add_values("bar");
request4.mutable_roles()->add_values("prod");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4));
mesos::ACL::SetQuota request5;
request5.mutable_principals()->add_values("bar");
request5.mutable_roles()->set_type(mesos::ACL::Entity::ANY);
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5));
// Anyone can set quotas for role "test", so request 6 will pass.
mesos::ACL::SetQuota request6;
request6.mutable_principals()->set_type(mesos::ACL::Entity::ANY);
request6.mutable_roles()->add_values("test");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request6));
// Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This case will fail.
mesos::ACL::SetQuota request7;
request7.mutable_principals()->add_values("jeff");
request7.mutable_roles()->set_type(mesos::ACL::Entity::ANY);
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request7));
}
// This tests the authorization of requests to set quotas.
// TODO(zhitao): Remove this test case at the end of the deprecation
// cycle started with 0.29.
TYPED_TEST(AuthorizationTest, SetQuota)
{
ACLs acls;
{
// "foo" principal can set quotas for all roles.
mesos::ACL::SetQuota* acl = acls.add_set_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
// "bar" principal can set quotas for "dev" role.
mesos::ACL::SetQuota* acl = acls.add_set_quotas();
acl->mutable_principals()->add_values("bar");
acl->mutable_roles()->add_values("dev");
}
{
// Anyone can set quotas for "test" role.
mesos::ACL::SetQuota* acl = acls.add_set_quotas();
acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl->mutable_roles()->add_values("test");
}
{
// No other principal can set quotas.
mesos::ACL::SetQuota* acl = acls.add_set_quotas();
acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
}
// Create an `Authorizer` with the ACLs.
Try<Authorizer*> create = TypeParam::create(parameterize(acls));
ASSERT_SOME(create);
Owned<Authorizer> authorizer(create.get());
// Principal "foo" can set quota for all roles, so requests 1 and 2 will pass.
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_subject()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_subject()->set_value("foo");
request.mutable_object()->set_value("prod");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "bar" can set quotas for role "dev", so this will pass.
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("dev");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "bar" can only set quotas for role "dev",
// so request 4 and 5 will fail.
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("prod");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_subject()->set_value("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
// Anyone can set quotas for role "test", so request 6 will pass.
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_object()->set_value("test");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
// Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it
// will be caught by the final ACL, which provides a default case that denies
// access for all other principals. This case will fail.
{
authorization::Request request;
request.set_action(authorization::SET_QUOTA_WITH_ROLE);
request.mutable_subject()->set_value("jeff");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
}
