You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/02/26 20:43:19 UTC

[4/6] mesos git commit: Added '/create-volumes' tests with multiple roles.

Added '/create-volumes' tests with multiple roles.

Operators may create volumes for multiple roles in the same operation;
this patch adds tests to confirm correct behavior of authorization in
this case. The tests
`ReservationEndpointsTest.GoodReserveACLMultipleRoles` and
`ReservationEndpointsTest.BadReserveACLMultipleRoles` were added.

Review: https://reviews.apache.org/r/43778/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/27ce0529
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/27ce0529
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/27ce0529

Branch: refs/heads/master
Commit: 27ce052995da5b885ba1a811cccb8b256e5da3bd
Parents: 5dc9f56
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Feb 26 11:42:48 2016 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Feb 26 11:42:48 2016 -0800

----------------------------------------------------------------------
 src/tests/persistent_volume_endpoints_tests.cpp | 138 +++++++++++++++++++
 1 file changed, 138 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/27ce0529/src/tests/persistent_volume_endpoints_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/persistent_volume_endpoints_tests.cpp b/src/tests/persistent_volume_endpoints_tests.cpp
index 270bb1a..08b9102 100644
--- a/src/tests/persistent_volume_endpoints_tests.cpp
+++ b/src/tests/persistent_volume_endpoints_tests.cpp
@@ -831,6 +831,72 @@ TEST_F(PersistentVolumeEndpointsTest, GoodCreateAndDestroyACL)
 }
 
 
+// Tests that correct setup of `CreateVolume` ACLs allows an operator to perform
+// volume creation operations successfully when volumes for multiple roles are
+// included in the request.
+TEST_F(PersistentVolumeEndpointsTest, GoodCreateACLMultipleRoles)
+{
+  const string AUTHORIZED_ROLE_1 = "potato_head";
+  const string AUTHORIZED_ROLE_2 = "gumby";
+
+  TestAllocator<> allocator;
+  ACLs acls;
+
+  // This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
+  // can create volumes for any role.
+  mesos::ACL::CreateVolume* create = acls.add_create_volumes();
+  create->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+  create->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
+
+  // Create a master.
+  master::Flags masterFlags = CreateMasterFlags();
+  masterFlags.acls = acls;
+
+  EXPECT_CALL(allocator, initialize(_, _, _, _));
+
+  Try<PID<Master>> master = StartMaster(&allocator, masterFlags);
+  ASSERT_SOME(master);
+
+  // Create a slave. Disk resources are statically reserved to allow the
+  // creation of a persistent volume.
+  slave::Flags slaveFlags = CreateSlaveFlags();
+  slaveFlags.resources =
+    "cpus:1;mem:512;disk(" + AUTHORIZED_ROLE_1 +"):1024;disk(" +
+    AUTHORIZED_ROLE_2 + "):1024";
+
+  Future<SlaveID> slaveId;
+  EXPECT_CALL(allocator, addSlave(_, _, _, _, _))
+    .WillOnce(DoAll(InvokeAddSlave(&allocator), FutureArg<0>(&slaveId)));
+
+  Try<PID<Slave>> slave = StartSlave(slaveFlags);
+  ASSERT_SOME(slave);
+
+  Resources volume1 = createPersistentVolume(
+      Megabytes(64),
+      AUTHORIZED_ROLE_1,
+      "id1",
+      "path1");
+
+  Resources volume2 = createPersistentVolume(
+      Megabytes(64),
+      AUTHORIZED_ROLE_2,
+      "id2",
+      "path2");
+
+  Resources volumesMultipleRoles = volume1 + volume2;
+
+  Future<Response> response = process::http::post(
+      master.get(),
+      "create-volumes",
+      createBasicAuthHeaders(DEFAULT_CREDENTIAL),
+      createRequestBody(slaveId.get(), "volumes", volumesMultipleRoles));
+
+  AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response);
+
+  Shutdown();
+}
+
+
 // This tests that an ACL prohibiting the creation of a persistent volume by a
 // principal will lead to a properly failed request.
 TEST_F(PersistentVolumeEndpointsTest, BadCreateAndDestroyACL)
@@ -949,6 +1015,78 @@ TEST_F(PersistentVolumeEndpointsTest, BadCreateAndDestroyACL)
 }
 
 
+// Tests that a request to create volumes will fail if volumes for multiple
+// roles are included in the request and the operator is not authorized to
+// create volumes for one of them.
+TEST_F(PersistentVolumeEndpointsTest, BadCreateACLMultipleRoles)
+{
+  const string AUTHORIZED_ROLE = "potato_head";
+  const string UNAUTHORIZED_ROLE = "gumby";
+
+  TestAllocator<> allocator;
+  ACLs acls;
+
+  // This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
+  // can create volumes for `AUTHORIZED_ROLE`.
+  mesos::ACL::CreateVolume* create1 = acls.add_create_volumes();
+  create1->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+  create1->mutable_roles()->add_values(AUTHORIZED_ROLE);
+
+  // This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
+  // cannot create volumes for any other role.
+  mesos::ACL::CreateVolume* create2 = acls.add_create_volumes();
+  create2->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+  create2->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
+
+  // Create a master.
+  master::Flags masterFlags = CreateMasterFlags();
+  masterFlags.acls = acls;
+
+  EXPECT_CALL(allocator, initialize(_, _, _, _));
+
+  Try<PID<Master>> master = StartMaster(&allocator, masterFlags);
+  ASSERT_SOME(master);
+
+  // Create a slave. Disk resources are statically reserved to allow the
+  // creation of a persistent volume.
+  slave::Flags slaveFlags = CreateSlaveFlags();
+  slaveFlags.resources =
+    "cpus:1;mem:512;disk(" + AUTHORIZED_ROLE +"):1024;disk(" +
+    UNAUTHORIZED_ROLE + "):1024";
+
+  Future<SlaveID> slaveId;
+  EXPECT_CALL(allocator, addSlave(_, _, _, _, _))
+    .WillOnce(DoAll(InvokeAddSlave(&allocator), FutureArg<0>(&slaveId)));
+
+  Try<PID<Slave>> slave = StartSlave(slaveFlags);
+  ASSERT_SOME(slave);
+
+  Resources volume1 = createPersistentVolume(
+      Megabytes(64),
+      AUTHORIZED_ROLE,
+      "id1",
+      "path1");
+
+  Resources volume2 = createPersistentVolume(
+      Megabytes(64),
+      UNAUTHORIZED_ROLE,
+      "id2",
+      "path2");
+
+  Resources volumesMultipleRoles = volume1 + volume2;
+
+  Future<Response> response = process::http::post(
+      master.get(),
+      "create-volumes",
+      createBasicAuthHeaders(DEFAULT_CREDENTIAL),
+      createRequestBody(slaveId.get(), "volumes", volumesMultipleRoles));
+
+  AWAIT_EXPECT_RESPONSE_STATUS_EQ(Forbidden().status, response);
+
+  Shutdown();
+}
+
+
 // This tests that a request containing a credential which is not listed in the
 // master for authentication will not succeed, even if a good authorization ACL
 // is provided.