Added MetricsTests with authorization. New tests were added: `MetricsTest.AgentAuthorizationEnabled` and `MetricsTest.MasterAuthorizationEnabled`. They verify that unauthorized requests to the '/metrics/snapshot' endpoints are rejected.
Review: https://reviews.apache.org/r/46870/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/a776785f Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/a776785f Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/a776785f Branch: refs/heads/master Commit: a776785f3ea94ee7e827bd5aa7e37f323b6a2230 Parents: d5e1a47 Author: Greg Mann <[email protected]> Authored: Wed May 11 22:45:46 2016 -0400 Committer: Kapil Arya <[email protected]> Committed: Thu May 12 01:50:20 2016 -0400 ---------------------------------------------------------------------- src/tests/metrics_tests.cpp | 88 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/a776785f/src/tests/metrics_tests.cpp ---------------------------------------------------------------------- diff --git a/src/tests/metrics_tests.cpp b/src/tests/metrics_tests.cpp index 2ff6bb5..e470e75 100644 --- a/src/tests/metrics_tests.cpp +++ b/src/tests/metrics_tests.cpp @@ -18,6 +18,8 @@ #include <mesos/authentication/http/basic_authenticator_factory.hpp> +#include <mesos/authorizer/authorizer.hpp> + #include <process/future.hpp> #include <process/http.hpp> #include <process/owned.hpp> @@ -41,6 +43,8 @@ using mesos::master::detector::MasterDetector; using process::Owned; +using process::http::authorization::AuthorizationCallbacks; + namespace mesos { namespace internal { namespace tests { @@ -317,6 +321,90 @@ TEST_F(MetricsTest, AgentAuthenticationEnabled) process::http::Unauthorized({}).status, response); } + +// Tests that the `/metrics/snapshot` endpoint will reject unauthorized requests +// when authentication and authorization are enabled on the master. +TEST_F(MetricsTest, MasterAuthorizationEnabled) +{ + Credentials credentials; + credentials.add_credentials()->CopyFrom(DEFAULT_CREDENTIAL); + + // Create a basic HTTP authenticator with the specified credentials and set it + // as the authenticator for `DEFAULT_HTTP_AUTHENTICATION_REALM`. + setBasicHttpAuthenticator(DEFAULT_HTTP_AUTHENTICATION_REALM, credentials); + + ACLs acls; + + // This ACL asserts that the principal of `DEFAULT_CREDENTIAL` can GET any + // HTTP endpoints that are authorized with the `GetEndpoint` ACL. + mesos::ACL::GetEndpoint* acl = acls.add_get_endpoints(); + acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal()); + acl->mutable_paths()->set_type(mesos::ACL::Entity::NONE); + + // Create a master. + master::Flags masterFlags = CreateMasterFlags(); + masterFlags.acls = acls; + + Try<Owned<cluster::Master>> master = StartMaster(masterFlags); + ASSERT_SOME(master); + + // Get the snapshot. + process::UPID upid("metrics", process::address()); + + process::Future<process::http::Response> response = process::http::get( + upid, + "snapshot", + None(), + createBasicAuthHeaders(DEFAULT_CREDENTIAL)); + + AWAIT_EXPECT_RESPONSE_STATUS_EQ( + process::http::Forbidden().status, response); +} + + +// Tests that the `/metrics/snapshot` endpoint will reject unauthorized requests +// when authentication and authorization are enabled on the agent. +TEST_F(MetricsTest, AgentAuthorizationEnabled) +{ + Credentials credentials; + credentials.add_credentials()->CopyFrom(DEFAULT_CREDENTIAL); + + // Create a basic HTTP authenticator with the specified credentials and set it + // as the authenticator for `DEFAULT_HTTP_AUTHENTICATION_REALM`. + setBasicHttpAuthenticator(DEFAULT_HTTP_AUTHENTICATION_REALM, credentials); + + ACLs acls; + + // This ACL asserts that the principal of `DEFAULT_CREDENTIAL` can GET any + // HTTP endpoints that are authorized with the `GetEndpoint` ACL. + mesos::ACL::GetEndpoint* acl = acls.add_get_endpoints(); + acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal()); + acl->mutable_paths()->set_type(mesos::ACL::Entity::NONE); + + // Create an agent. + slave::Flags agentFlags = CreateSlaveFlags(); + agentFlags.acls = acls; + + Try<Owned<cluster::Master>> master = StartMaster(); + ASSERT_SOME(master); + + Owned<MasterDetector> detector = master.get()->createDetector(); + Try<Owned<cluster::Slave>> agent = StartSlave(detector.get(), agentFlags); + ASSERT_SOME(agent); + + // Get the snapshot. + process::UPID upid("metrics", process::address()); + + process::Future<process::http::Response> response = process::http::get( + upid, + "snapshot", + None(), + createBasicAuthHeaders(DEFAULT_CREDENTIAL)); + + AWAIT_EXPECT_RESPONSE_STATUS_EQ( + process::http::Forbidden().status, response); +} + } // namespace tests { } // namespace internal { } // namespace mesos {
