// This tests that update_quotas and set_quotas/remove_quotas // cannot be used together. // TODO(zhitao): Remove this test case at the end of the deprecation // cycle started with 0.29. TYPED_TEST(AuthorizationTest, ConflictQuotaACLs) { { ACLs acls; { // Add an UpdateQuota ACL. mesos::ACL::UpdateQuota* acl = acls.add_update_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // Add a SetQuota ACL. mesos::ACL::SetQuota* acl = acls.add_set_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } // Create an `Authorizer` with the ACLs should error out. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_ERROR(create); } { ACLs acls; { // Add an UpdateQuota ACL. mesos::ACL::UpdateQuota* acl = acls.add_update_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // Add a RemoveQuota ACL. mesos::ACL::RemoveQuota* acl = acls.add_remove_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY); } // Create an `Authorizer` with the ACLs should error out. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_ERROR(create); } }
// This tests the authorization of requests to set quotas. TYPED_TEST(AuthorizationTest, SetQuota) { ACLs acls; // "foo" principal can set quotas for all roles. mesos::ACL::SetQuota* acl1 = acls.add_set_quotas(); acl1->mutable_principals()->add_values("foo"); acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY); // "bar" principal can set quotas for "dev" role. mesos::ACL::SetQuota* acl2 = acls.add_set_quotas(); acl2->mutable_principals()->add_values("bar"); acl2->mutable_roles()->add_values("dev"); // Anyone can set quotas for "test" role. mesos::ACL::SetQuota* acl3 = acls.add_set_quotas(); acl3->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl3->mutable_roles()->add_values("test"); // No other principal can set quotas. mesos::ACL::SetQuota* acl4 = acls.add_set_quotas(); acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl4->mutable_roles()->set_type(mesos::ACL::Entity::NONE); // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); Try<Nothing> initialized = authorizer.get()->initialize(acls); ASSERT_SOME(initialized); // Principal "foo" can set quota for all roles, so requests 1 and 2 will pass. mesos::ACL::SetQuota request1; request1.mutable_principals()->add_values("foo"); request1.mutable_roles()->set_type(mesos::ACL::Entity::ANY); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1)); mesos::ACL::SetQuota request2; request2.mutable_principals()->add_values("foo"); request2.mutable_roles()->add_values("prod"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2)); // Principal "bar" can set quotas for role "dev", so this will pass. mesos::ACL::SetQuota request3; request3.mutable_principals()->add_values("bar"); request3.mutable_roles()->add_values("dev"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request3)); // Principal "bar" can only set quotas for role "dev", // so request 4 and 5 will fail. mesos::ACL::SetQuota request4; request4.mutable_principals()->add_values("bar"); request4.mutable_roles()->add_values("prod"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4)); mesos::ACL::SetQuota request5; request5.mutable_principals()->add_values("bar"); request5.mutable_roles()->set_type(mesos::ACL::Entity::ANY); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5)); // Anyone can set quotas for role "test", so request 6 will pass. mesos::ACL::SetQuota request6; request6.mutable_principals()->set_type(mesos::ACL::Entity::ANY); request6.mutable_roles()->add_values("test"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request6)); // Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This case will fail. mesos::ACL::SetQuota request7; request7.mutable_principals()->add_values("jeff"); request7.mutable_roles()->set_type(mesos::ACL::Entity::ANY); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request7)); }
// This tests the authorization of requests to set quotas. // TODO(zhitao): Remove this test case at the end of the deprecation // cycle started with 0.29. TYPED_TEST(AuthorizationTest, SetQuota) { ACLs acls; { // "foo" principal can set quotas for all roles. mesos::ACL::SetQuota* acl = acls.add_set_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { // "bar" principal can set quotas for "dev" role. mesos::ACL::SetQuota* acl = acls.add_set_quotas(); acl->mutable_principals()->add_values("bar"); acl->mutable_roles()->add_values("dev"); } { // Anyone can set quotas for "test" role. mesos::ACL::SetQuota* acl = acls.add_set_quotas(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_roles()->add_values("test"); } { // No other principal can set quotas. mesos::ACL::SetQuota* acl = acls.add_set_quotas(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE); } // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); // Principal "foo" can set quota for all roles, so requests 1 and 2 will pass. { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_subject()->set_value("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_subject()->set_value("foo"); request.mutable_object()->set_value("prod"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "bar" can set quotas for role "dev", so this will pass. { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("dev"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "bar" can only set quotas for role "dev", // so request 4 and 5 will fail. { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("prod"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_subject()->set_value("bar"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } // Anyone can set quotas for role "test", so request 6 will pass. { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_object()->set_value("test"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "jeff" is not mentioned in the ACLs of the `Authorizer`, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This case will fail. { authorization::Request request; request.set_action(authorization::SET_QUOTA_WITH_ROLE); request.mutable_subject()->set_value("jeff"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } }