You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/02/26 20:43:19 UTC
[4/6] mesos git commit: Added '/create-volumes' tests with multiple
roles.
Added '/create-volumes' tests with multiple roles.
Operators may create volumes for multiple roles in the same operation;
this patch adds tests to confirm correct behavior of authorization in
this case. The tests
`ReservationEndpointsTest.GoodReserveACLMultipleRoles` and
`ReservationEndpointsTest.BadReserveACLMultipleRoles` were added.
Review: https://reviews.apache.org/r/43778/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/27ce0529
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/27ce0529
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/27ce0529
Branch: refs/heads/master
Commit: 27ce052995da5b885ba1a811cccb8b256e5da3bd
Parents: 5dc9f56
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Feb 26 11:42:48 2016 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Feb 26 11:42:48 2016 -0800
----------------------------------------------------------------------
src/tests/persistent_volume_endpoints_tests.cpp | 138 +++++++++++++++++++
1 file changed, 138 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/27ce0529/src/tests/persistent_volume_endpoints_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/persistent_volume_endpoints_tests.cpp b/src/tests/persistent_volume_endpoints_tests.cpp
index 270bb1a..08b9102 100644
--- a/src/tests/persistent_volume_endpoints_tests.cpp
+++ b/src/tests/persistent_volume_endpoints_tests.cpp
@@ -831,6 +831,72 @@ TEST_F(PersistentVolumeEndpointsTest, GoodCreateAndDestroyACL)
}
+// Tests that correct setup of `CreateVolume` ACLs allows an operator to perform
+// volume creation operations successfully when volumes for multiple roles are
+// included in the request.
+TEST_F(PersistentVolumeEndpointsTest, GoodCreateACLMultipleRoles)
+{
+ const string AUTHORIZED_ROLE_1 = "potato_head";
+ const string AUTHORIZED_ROLE_2 = "gumby";
+
+ TestAllocator<> allocator;
+ ACLs acls;
+
+ // This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
+ // can create volumes for any role.
+ mesos::ACL::CreateVolume* create = acls.add_create_volumes();
+ create->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+ create->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
+
+ // Create a master.
+ master::Flags masterFlags = CreateMasterFlags();
+ masterFlags.acls = acls;
+
+ EXPECT_CALL(allocator, initialize(_, _, _, _));
+
+ Try<PID<Master>> master = StartMaster(&allocator, masterFlags);
+ ASSERT_SOME(master);
+
+ // Create a slave. Disk resources are statically reserved to allow the
+ // creation of a persistent volume.
+ slave::Flags slaveFlags = CreateSlaveFlags();
+ slaveFlags.resources =
+ "cpus:1;mem:512;disk(" + AUTHORIZED_ROLE_1 +"):1024;disk(" +
+ AUTHORIZED_ROLE_2 + "):1024";
+
+ Future<SlaveID> slaveId;
+ EXPECT_CALL(allocator, addSlave(_, _, _, _, _))
+ .WillOnce(DoAll(InvokeAddSlave(&allocator), FutureArg<0>(&slaveId)));
+
+ Try<PID<Slave>> slave = StartSlave(slaveFlags);
+ ASSERT_SOME(slave);
+
+ Resources volume1 = createPersistentVolume(
+ Megabytes(64),
+ AUTHORIZED_ROLE_1,
+ "id1",
+ "path1");
+
+ Resources volume2 = createPersistentVolume(
+ Megabytes(64),
+ AUTHORIZED_ROLE_2,
+ "id2",
+ "path2");
+
+ Resources volumesMultipleRoles = volume1 + volume2;
+
+ Future<Response> response = process::http::post(
+ master.get(),
+ "create-volumes",
+ createBasicAuthHeaders(DEFAULT_CREDENTIAL),
+ createRequestBody(slaveId.get(), "volumes", volumesMultipleRoles));
+
+ AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response);
+
+ Shutdown();
+}
+
+
// This tests that an ACL prohibiting the creation of a persistent volume by a
// principal will lead to a properly failed request.
TEST_F(PersistentVolumeEndpointsTest, BadCreateAndDestroyACL)
@@ -949,6 +1015,78 @@ TEST_F(PersistentVolumeEndpointsTest, BadCreateAndDestroyACL)
}
+// Tests that a request to create volumes will fail if volumes for multiple
+// roles are included in the request and the operator is not authorized to
+// create volumes for one of them.
+TEST_F(PersistentVolumeEndpointsTest, BadCreateACLMultipleRoles)
+{
+ const string AUTHORIZED_ROLE = "potato_head";
+ const string UNAUTHORIZED_ROLE = "gumby";
+
+ TestAllocator<> allocator;
+ ACLs acls;
+
+ // This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
+ // can create volumes for `AUTHORIZED_ROLE`.
+ mesos::ACL::CreateVolume* create1 = acls.add_create_volumes();
+ create1->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+ create1->mutable_roles()->add_values(AUTHORIZED_ROLE);
+
+ // This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
+ // cannot create volumes for any other role.
+ mesos::ACL::CreateVolume* create2 = acls.add_create_volumes();
+ create2->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+ create2->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
+
+ // Create a master.
+ master::Flags masterFlags = CreateMasterFlags();
+ masterFlags.acls = acls;
+
+ EXPECT_CALL(allocator, initialize(_, _, _, _));
+
+ Try<PID<Master>> master = StartMaster(&allocator, masterFlags);
+ ASSERT_SOME(master);
+
+ // Create a slave. Disk resources are statically reserved to allow the
+ // creation of a persistent volume.
+ slave::Flags slaveFlags = CreateSlaveFlags();
+ slaveFlags.resources =
+ "cpus:1;mem:512;disk(" + AUTHORIZED_ROLE +"):1024;disk(" +
+ UNAUTHORIZED_ROLE + "):1024";
+
+ Future<SlaveID> slaveId;
+ EXPECT_CALL(allocator, addSlave(_, _, _, _, _))
+ .WillOnce(DoAll(InvokeAddSlave(&allocator), FutureArg<0>(&slaveId)));
+
+ Try<PID<Slave>> slave = StartSlave(slaveFlags);
+ ASSERT_SOME(slave);
+
+ Resources volume1 = createPersistentVolume(
+ Megabytes(64),
+ AUTHORIZED_ROLE,
+ "id1",
+ "path1");
+
+ Resources volume2 = createPersistentVolume(
+ Megabytes(64),
+ UNAUTHORIZED_ROLE,
+ "id2",
+ "path2");
+
+ Resources volumesMultipleRoles = volume1 + volume2;
+
+ Future<Response> response = process::http::post(
+ master.get(),
+ "create-volumes",
+ createBasicAuthHeaders(DEFAULT_CREDENTIAL),
+ createRequestBody(slaveId.get(), "volumes", volumesMultipleRoles));
+
+ AWAIT_EXPECT_RESPONSE_STATUS_EQ(Forbidden().status, response);
+
+ Shutdown();
+}
+
+
// This tests that a request containing a credential which is not listed in the
// master for authentication will not succeed, even if a good authorization ACL
// is provided.