// This tests the authorization of ACLs used for unreserve // operations on dynamically reserved resources. TYPED_TEST(AuthorizationTest, Unreserve) { ACLs acls; // "foo" principal can unreserve its own resources. mesos::ACL::UnreserveResources* acl1 = acls.add_unreserve_resources(); acl1->mutable_principals()->add_values("foo"); acl1->mutable_reserver_principals()->add_values("foo"); // "bar" principal cannot unreserve anyone's resources. mesos::ACL::UnreserveResources* acl2 = acls.add_unreserve_resources(); acl2->mutable_principals()->add_values("bar"); acl2->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE); // "ops" principal can unreserve anyone's resources. mesos::ACL::UnreserveResources* acl3 = acls.add_unreserve_resources(); acl3->mutable_principals()->add_values("ops"); acl3->mutable_reserver_principals()->set_type(mesos::ACL::Entity::ANY); // No other principals can unreserve resources. mesos::ACL::UnreserveResources* acl4 = acls.add_unreserve_resources(); acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl4->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE); // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); Try<Nothing> initialized = authorizer.get()->initialize(acls); ASSERT_SOME(initialized); // Principal "foo" can unreserve its own resources. mesos::ACL::UnreserveResources request1; request1.mutable_principals()->add_values("foo"); request1.mutable_reserver_principals()->add_values("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1)); // Principal "bar" cannot unreserve anyone's // resources, so requests 2 and 3 will fail. mesos::ACL::UnreserveResources request2; request2.mutable_principals()->add_values("bar"); request2.mutable_reserver_principals()->add_values("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request2)); mesos::ACL::UnreserveResources request3; request3.mutable_principals()->add_values("bar"); request3.mutable_reserver_principals()->add_values("bar"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3)); // Principal "ops" can unreserve anyone's resources, // so requests 4 and 5 will succeed. mesos::ACL::UnreserveResources request4; request4.mutable_principals()->add_values("ops"); request4.mutable_reserver_principals()->add_values("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request4)); mesos::ACL::UnreserveResources request5; request5.mutable_principals()->add_values("ops"); request5.mutable_reserver_principals()->add_values("foo"); request5.mutable_reserver_principals()->add_values("bar"); request5.mutable_reserver_principals()->add_values("ops"); AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request5)); // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This case will fail. mesos::ACL::UnreserveResources request6; request6.mutable_principals()->add_values("zelda"); request6.mutable_reserver_principals()->add_values("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request6)); }
// This tests the authorization of ACLs used for unreserve // operations on dynamically reserved resources. TYPED_TEST(AuthorizationTest, Unreserve) { ACLs acls; { // "foo" principal can unreserve its own resources. mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources(); acl->mutable_principals()->add_values("foo"); acl->mutable_reserver_principals()->add_values("foo"); } { // "bar" principal cannot unreserve anyone's resources. mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources(); acl->mutable_principals()->add_values("bar"); acl->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE); } { // "ops" principal can unreserve anyone's resources. mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources(); acl->mutable_principals()->add_values("ops"); acl->mutable_reserver_principals()->set_type(mesos::ACL::Entity::ANY); } { // No other principals can unreserve resources. mesos::ACL::UnreserveResources* acl = acls.add_unreserve_resources(); acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); acl->mutable_reserver_principals()->set_type(mesos::ACL::Entity::NONE); } // Create an `Authorizer` with the ACLs. Try<Authorizer*> create = TypeParam::create(parameterize(acls)); ASSERT_SOME(create); Owned<Authorizer> authorizer(create.get()); // Principal "foo" can unreserve its own resources. { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("foo"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "bar" cannot unreserve anyone's // resources, so requests 2 and 3 will fail. { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("bar"); request.mutable_object()->set_value("bar"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } // Principal "ops" can unreserve anyone's resources, // so requests 4 and 5 will succeed. { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("ops"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("ops"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("ops"); request.mutable_object()->set_value("bar"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("ops"); request.mutable_object()->set_value("ops"); AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request)); } // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it // will be caught by the final ACL, which provides a default case that denies // access for all other principals. This case will fail. { authorization::Request request; request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL); request.mutable_subject()->set_value("zelda"); request.mutable_object()->set_value("foo"); AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request)); } }