vitess.io/vitess@v0.16.2/go/vt/vtadmin/testutil/authztestgen/config.json (about) 1 { 2 "package": "vtadmin_test", 3 "clusters": [ 4 { 5 "id": "test", 6 "name": "test", 7 "vtctldclient_mock_data": [ 8 { 9 "field": "DeleteShardsResults", 10 "type": "map[string]error", 11 "value": "\"test/-\": nil," 12 }, 13 { 14 "field": "DeleteTabletsResults", 15 "type": "map[string]error", 16 "value": "\"zone1-0000000100\": nil," 17 }, 18 { 19 "field": "EmergencyReparentShardResults", 20 "type": "map[string]struct{\nResponse *vtctldatapb.EmergencyReparentShardResponse\nError error}", 21 "value": "\"test/-\": {\nResponse: &vtctldatapb.EmergencyReparentShardResponse{},\n}," 22 }, 23 { 24 "field": "FindAllShardsInKeyspaceResults", 25 "type": "map[string]struct{\nResponse *vtctldatapb.FindAllShardsInKeyspaceResponse\nError error}", 26 "value": "\"test\": {\nResponse: &vtctldatapb.FindAllShardsInKeyspaceResponse{\nShards: map[string]*vtctldatapb.Shard{\n\"-\": {\nKeyspace: \"test\",\nName: \"-\",\nShard: &topodatapb.Shard{\nKeyRange: &topodatapb.KeyRange{},\nIsPrimaryServing: true,\n},\n},\n},\n},\n}," 27 }, 28 { 29 "field": "GetBackupsResults", 30 "type": "map[string]struct{\nResponse *vtctldatapb.GetBackupsResponse\nError error}", 31 "value": "\"test/-\": {\nResponse: &vtctldatapb.GetBackupsResponse{\nBackups: []*mysqlctlpb.BackupInfo{\n{},\n},\n},\n}," 32 }, 33 { 34 "field": "GetCellInfoNamesResults", 35 "type": "&struct{\nResponse *vtctldatapb.GetCellInfoNamesResponse\nError error}", 36 "value": "Response: &vtctldatapb.GetCellInfoNamesResponse{\nNames: []string{\"zone1\"},\n}," 37 }, 38 { 39 "field": "GetCellsAliasesResults", 40 "type": "&struct{\nResponse *vtctldatapb.GetCellsAliasesResponse\nError error}", 41 "value": "Response: &vtctldatapb.GetCellsAliasesResponse{\nAliases: map[string]*topodatapb.CellsAlias{\n\"zone\": {\nCells: []string{\"zone1\"}},\n},\n}," 42 }, 43 { 44 "field": "GetKeyspaceResults", 45 "type": "map[string]struct{\nResponse *vtctldatapb.GetKeyspaceResponse\nError error}", 46 "value": "\"test\": {\nResponse: &vtctldatapb.GetKeyspaceResponse{\nKeyspace: &vtctldatapb.Keyspace{\nName: \"test\",\nKeyspace: &topodatapb.Keyspace{},\n},\n},\n}," 47 }, 48 { 49 "field": "GetKeyspacesResults", 50 "type": "&struct{\nKeyspaces []*vtctldatapb.Keyspace\nError error}", 51 "value": "Keyspaces: []*vtctldatapb.Keyspace{\n{\nName: \"test\",\nKeyspace: &topodatapb.Keyspace{},\n},\n}," 52 }, 53 { 54 "field": "GetSchemaResults", 55 "type": "map[string]struct{\nResponse *vtctldatapb.GetSchemaResponse\nError error}", 56 "value": "\"zone1-0000000100\": {\nResponse: &vtctldatapb.GetSchemaResponse{\nSchema: &tabletmanagerdatapb.SchemaDefinition{\nTableDefinitions: []*tabletmanagerdatapb.TableDefinition{\n{Name: \"t1\", Schema: \"create table t1 (id int(11) not null primary key);\",},\n{Name: \"t2\"},\n},\n},\n},\n}," 57 }, 58 { 59 "field": "GetSrvVSchemaResults", 60 "type": "map[string]struct{\nResponse *vtctldatapb.GetSrvVSchemaResponse\nError error}", 61 "value": "\"zone1\": {\nResponse: &vtctldatapb.GetSrvVSchemaResponse{\nSrvVSchema: &vschemapb.SrvVSchema{\nKeyspaces: map[string]*vschemapb.Keyspace{\n\"test\": {\nSharded: true,\nVindexes: map[string]*vschemapb.Vindex{\n\"id\": {\nType: \"hash\",\n},\n},\nTables: map[string]*vschemapb.Table{\n\"t1\": {\nColumnVindexes: []*vschemapb.ColumnVindex{\n{\nName: \"id\",\nColumn: \"id\",\n},\n},\n},\n},\n},\n},\n},\n},\n},", 62 "comment": "this structure exists primarily to support the VTExplain test cases; for GetSrvVSchema(s) itself, an empty but non-nil map is sufficient" 63 }, 64 { 65 "field": "GetVSchemaResults", 66 "type": "map[string]struct{\nResponse *vtctldatapb.GetVSchemaResponse\nError error}", 67 "value": "\"test\": {\nResponse: &vtctldatapb.GetVSchemaResponse{\nVSchema: &vschemapb.Keyspace{},\n},\n}," 68 }, 69 { 70 "field": "GetWorkflowsResults", 71 "type": "map[string]struct{\nResponse *vtctldatapb.GetWorkflowsResponse\nError error}", 72 "value": "\"test\": {\nResponse: &vtctldatapb.GetWorkflowsResponse{\nWorkflows: []*vtctldatapb.Workflow{\n{\nName: \"testworkflow\",\n},\n},\n}}," 73 }, 74 { 75 "field": "PingTabletResults", 76 "type": "map[string]error", 77 "value": "\"zone1-0000000100\": nil," 78 }, 79 { 80 "field": "PlannedReparentShardResults", 81 "type": "map[string]struct{\nResponse *vtctldatapb.PlannedReparentShardResponse\nError error}", 82 "value": "\"test/-\": {\nResponse: &vtctldatapb.PlannedReparentShardResponse{},\n}," 83 }, 84 { 85 "field": "RefreshStateResults", 86 "type": "map[string]error", 87 "value": "\"zone1-0000000100\": nil," 88 }, 89 { 90 "field": "ReloadSchemaKeyspaceResults", 91 "type": "map[string]struct{\nResponse *vtctldatapb.ReloadSchemaKeyspaceResponse\nError error\n}", 92 "value": "\"test\": {\nResponse: &vtctldatapb.ReloadSchemaKeyspaceResponse{\nEvents: []*logutilpb.Event{{}, {}, {}}},\n}," 93 }, 94 { 95 "field": "ReparentTabletResults", 96 "type": "map[string]struct{\nResponse *vtctldatapb.ReparentTabletResponse\nError error\n}", 97 "value": "\"zone1-0000000100\": {\nResponse: &vtctldatapb.ReparentTabletResponse{},\n}," 98 }, 99 { 100 "field": "RunHealthCheckResults", 101 "type": "map[string]error", 102 "value": "\"zone1-0000000100\": nil," 103 }, 104 { 105 "field": "SetWritableResults", 106 "type": "map[string]error", 107 "value": "\"zone1-0000000100\": nil," 108 }, 109 { 110 "field": "ShardReplicationPositionsResults", 111 "type": "map[string]struct{\nResponse *vtctldatapb.ShardReplicationPositionsResponse\nError error}", 112 "value": "\"test/-\": {\nResponse: &vtctldatapb.ShardReplicationPositionsResponse{},\n}," 113 }, 114 { 115 "field": "StartReplicationResults", 116 "type": "map[string]error", 117 "value": "\"zone1-0000000100\": nil," 118 }, 119 { 120 "field": "StopReplicationResults", 121 "type": "map[string]error", 122 "value": "\"zone1-0000000100\": nil," 123 }, 124 { 125 "field": "TabletExternallyReparentedResults", 126 "type": "map[string]struct{\nResponse *vtctldatapb.TabletExternallyReparentedResponse\nError error\n}", 127 "value": "\"zone1-0000000100\": {\nResponse: &vtctldatapb.TabletExternallyReparentedResponse{},\n}," 128 }, 129 { 130 "field": "ValidateKeyspaceResults", 131 "type": "map[string]struct{\nResponse *vtctldatapb.ValidateKeyspaceResponse\nError error\n}", 132 "value": "\"test\": {\nResponse: &vtctldatapb.ValidateKeyspaceResponse{},\n}," 133 }, 134 { 135 "field": "ValidateSchemaKeyspaceResults", 136 "type": "map[string]struct{\nResponse *vtctldatapb.ValidateSchemaKeyspaceResponse\nError error\n}", 137 "value": "\"test\": {\nResponse: &vtctldatapb.ValidateSchemaKeyspaceResponse{},\n}," 138 }, 139 { 140 "field": "ValidateVersionKeyspaceResults", 141 "type": "map[string]struct{\nResponse *vtctldatapb.ValidateVersionKeyspaceResponse\nError error\n}", 142 "value": "\"test\": {\nResponse: &vtctldatapb.ValidateVersionKeyspaceResponse{},\n}," 143 } 144 ], 145 "db_tablet_list": [ 146 { 147 "tablet": { 148 "alias": {"cell": "zone1", "uid": 100}, 149 "type": 2, 150 "keyspace": "test" 151 }, 152 "state": 1 153 } 154 ] 155 }, 156 { 157 "id": "other", 158 "name": "other", 159 "vtctldclient_mock_data": [ 160 { 161 "field": "FindAllShardsInKeyspaceResults", 162 "type": "map[string]struct{\nResponse *vtctldatapb.FindAllShardsInKeyspaceResponse\nError error}", 163 "value": "\"otherks\": {\nResponse: &vtctldatapb.FindAllShardsInKeyspaceResponse{\nShards: map[string]*vtctldatapb.Shard{\n\"-\": {\nKeyspace: \"otherks\",\nName: \"-\",\nShard: &topodatapb.Shard{},\n},\n},\n},\n}," 164 }, 165 { 166 "field": "GetBackupsResults", 167 "type": "map[string]struct{\nResponse *vtctldatapb.GetBackupsResponse\nError error}", 168 "value": "\"otherks/-\": {\nResponse: &vtctldatapb.GetBackupsResponse{\nBackups: []*mysqlctlpb.BackupInfo{\n{}, {}, {},\n},\n},\n}," 169 }, 170 { 171 "field": "GetCellInfoNamesResults", 172 "type": "&struct{\nResponse *vtctldatapb.GetCellInfoNamesResponse\nError error}", 173 "value": "Response: &vtctldatapb.GetCellInfoNamesResponse{\nNames: []string{\"other1\"},\n}," 174 }, 175 { 176 "field": "GetCellsAliasesResults", 177 "type": "&struct{\nResponse *vtctldatapb.GetCellsAliasesResponse\nError error}", 178 "value": "Response: &vtctldatapb.GetCellsAliasesResponse{\nAliases: map[string]*topodatapb.CellsAlias{\n\"other\": {\nCells: []string{\"other1\"}},\n},\n}," 179 }, 180 { 181 "field": "GetKeyspacesResults", 182 "type": "&struct{\nKeyspaces []*vtctldatapb.Keyspace\nError error}", 183 "value": "Keyspaces: []*vtctldatapb.Keyspace{\n{\nName: \"otherks\",\nKeyspace: &topodatapb.Keyspace{},\n},\n}," 184 }, 185 { 186 "field": "GetSchemaResults", 187 "type": "map[string]struct{\nResponse *vtctldatapb.GetSchemaResponse\nError error}", 188 "value": "\"other1-0000000100\": {\nResponse: &vtctldatapb.GetSchemaResponse{\nSchema: &tabletmanagerdatapb.SchemaDefinition{\nTableDefinitions: []*tabletmanagerdatapb.TableDefinition{\n{Name: \"t1\"},\n},\n},\n},\n}," 189 }, 190 { 191 "field": "GetSrvVSchemaResults", 192 "type": "map[string]struct{\nResponse *vtctldatapb.GetSrvVSchemaResponse\nError error}", 193 "value": "\"other1\": {\nResponse: &vtctldatapb.GetSrvVSchemaResponse{\nSrvVSchema: &vschemapb.SrvVSchema{},\n},\n}," 194 }, 195 { 196 "field": "GetVSchemaResults", 197 "type": "map[string]struct{\nResponse *vtctldatapb.GetVSchemaResponse\nError error}", 198 "value": "\"otherks\": {\nResponse: &vtctldatapb.GetVSchemaResponse{\nVSchema: &vschemapb.Keyspace{},\n},\n}," 199 }, 200 { 201 "field": "GetWorkflowsResults", 202 "type": "map[string]struct{\nResponse *vtctldatapb.GetWorkflowsResponse\nError error}", 203 "value": "\"otherks\": {\nResponse: &vtctldatapb.GetWorkflowsResponse{\nWorkflows: []*vtctldatapb.Workflow{\n{\nName: \"otherks_workflow\",\n},\n},\n}}," 204 }, 205 { 206 "field": "ShardReplicationPositionsResults", 207 "type": "map[string]struct{\nResponse *vtctldatapb.ShardReplicationPositionsResponse\nError error}", 208 "value": "\"otherks/-\": {\nResponse: &vtctldatapb.ShardReplicationPositionsResponse{},\n}," 209 }, 210 { 211 "field": "ReloadSchemaKeyspaceResults", 212 "type": "map[string]struct{\nResponse *vtctldatapb.ReloadSchemaKeyspaceResponse\nError error\n}", 213 "value": "\"otherks\": {\nResponse: &vtctldatapb.ReloadSchemaKeyspaceResponse{\nEvents: []*logutilpb.Event{{}}},\n}," 214 } 215 ], 216 "db_tablet_list": [ 217 { 218 "tablet": { 219 "alias": {"cell": "other1", "uid": 100}, 220 "keyspace": "otherks" 221 }, 222 "state": 1 223 } 224 ] 225 } 226 ], 227 "tests": [ 228 { 229 "method": "CreateKeyspace", 230 "rules": [ 231 { 232 "resource": "Keyspace", 233 "actions": ["create"], 234 "subjects": ["user:allowed"], 235 "clusters": ["*"] 236 } 237 ], 238 "request": "&vtadminpb.CreateKeyspaceRequest{\nClusterId: \"test\",\nOptions: &vtctldatapb.CreateKeyspaceRequest{\nName: \"test\",\n},\n}", 239 "cases": [ 240 { 241 "name": "unauthorized actor", 242 "actor": {"name": "other"}, 243 "include_error_var": true, 244 "assertions": [ 245 "assert.Error(t, err, $$)", 246 "assert.Nil(t, resp, $$)" 247 ] 248 }, 249 { 250 "name": "authorized actor", 251 "actor": {"name": "allowed"}, 252 "include_error_var": true, 253 "is_permitted": true, 254 "assertions": [ 255 "require.NoError(t, err)", 256 "assert.NotNil(t, resp, $$)" 257 ] 258 } 259 ] 260 }, 261 { 262 "method": "CreateShard", 263 "rules": [ 264 { 265 "resource": "Shard", 266 "actions": ["create"], 267 "subjects": ["user:allowed"], 268 "clusters": ["*"] 269 } 270 ], 271 "request": "&vtadminpb.CreateShardRequest{\nClusterId: \"test\",\nOptions: &vtctldatapb.CreateShardRequest{\nKeyspace: \"test\",\nShardName: \"-\",\n},\n}", 272 "cases": [ 273 { 274 "name": "unauthorized actor", 275 "actor": {"name": "other"}, 276 "include_error_var": true, 277 "assertions": [ 278 "assert.Error(t, err, $$)", 279 "assert.Nil(t, resp, $$)" 280 ] 281 }, 282 { 283 "name": "authorized actor", 284 "actor": {"name": "allowed"}, 285 "include_error_var": true, 286 "is_permitted": true, 287 "assertions": [ 288 "require.NoError(t, err)", 289 "assert.NotNil(t, resp, $$)" 290 ] 291 } 292 ] 293 }, 294 { 295 "method": "DeleteKeyspace", 296 "rules": [ 297 { 298 "resource": "Keyspace", 299 "actions": ["delete"], 300 "subjects": ["user:allowed"], 301 "clusters": ["*"] 302 } 303 ], 304 "request": "&vtadminpb.DeleteKeyspaceRequest{\nClusterId: \"test\",\nOptions: &vtctldatapb.DeleteKeyspaceRequest{\nKeyspace: \"test\",\n},\n}", 305 "cases": [ 306 { 307 "name": "unauthorized actor", 308 "actor": {"name": "other"}, 309 "include_error_var": true, 310 "assertions": [ 311 "assert.Error(t, err, $$)", 312 "assert.Nil(t, resp, $$)" 313 ] 314 }, 315 { 316 "name": "authorized actor", 317 "actor": {"name": "allowed"}, 318 "include_error_var": true, 319 "is_permitted": true, 320 "assertions": [ 321 "require.NoError(t, err)", 322 "assert.NotNil(t, resp, $$)" 323 ] 324 } 325 ] 326 }, 327 { 328 "method": "DeleteShards", 329 "rules": [ 330 { 331 "resource": "Shard", 332 "actions": ["delete"], 333 "subjects": ["user:allowed"], 334 "clusters": ["*"] 335 } 336 ], 337 "request": "&vtadminpb.DeleteShardsRequest{\nClusterId: \"test\",\nOptions: &vtctldatapb.DeleteShardsRequest{\nShards: []*vtctldatapb.Shard{\n{\nKeyspace: \"test\",\nName: \"-\",\n},\n},\n},\n}", 338 "cases": [ 339 { 340 "name": "unauthorized actor", 341 "actor": {"name": "other"}, 342 "include_error_var": true, 343 "assertions": [ 344 "assert.Error(t, err, $$)", 345 "assert.Nil(t, resp, $$)" 346 ] 347 }, 348 { 349 "name": "authorized actor", 350 "actor": {"name": "allowed"}, 351 "include_error_var": true, 352 "is_permitted": true, 353 "assertions": [ 354 "require.NoError(t, err)", 355 "assert.NotNil(t, resp, $$)" 356 ] 357 } 358 ] 359 }, 360 { 361 "method": "DeleteTablet", 362 "rules": [ 363 { 364 "resource": "Tablet", 365 "actions": ["delete"], 366 "subjects": ["user:allowed"], 367 "clusters": ["*"] 368 } 369 ], 370 "request": "&vtadminpb.DeleteTabletRequest{\nClusterIds: []string{\"test\"},\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 371 "cases": [ 372 { 373 "name": "unauthorized actor", 374 "actor": {"name": "other"}, 375 "include_error_var": true, 376 "assertions": [ 377 "assert.Error(t, err, $$)", 378 "assert.Nil(t, resp, $$)" 379 ] 380 }, 381 { 382 "name": "authorized actor", 383 "actor": {"name": "allowed"}, 384 "include_error_var": true, 385 "is_permitted": true, 386 "assertions": [ 387 "require.NoError(t, err)", 388 "assert.NotNil(t, resp, $$)" 389 ] 390 } 391 ] 392 }, 393 { 394 "method": "EmergencyFailoverShard", 395 "rules": [ 396 { 397 "resource": "Shard", 398 "actions": ["emergency_failover_shard"], 399 "subjects": ["user:allowed"], 400 "clusters": ["*"] 401 } 402 ], 403 "request": "&vtadminpb.EmergencyFailoverShardRequest{\nClusterId: \"test\",\nOptions: &vtctldatapb.EmergencyReparentShardRequest{\nKeyspace: \"test\",\nShard: \"-\",\n},\n}", 404 "cases": [ 405 { 406 "name": "unauthorized actor", 407 "actor": {"name": "other"}, 408 "include_error_var": true, 409 "assertions": [ 410 "require.NoError(t, err)", 411 "assert.Nil(t, resp, $$)" 412 ] 413 }, 414 { 415 "name": "authorized actor", 416 "actor": {"name": "allowed"}, 417 "include_error_var": true, 418 "is_permitted": true, 419 "assertions": [ 420 "require.NoError(t, err)", 421 "assert.NotNil(t, resp, $$)" 422 ] 423 } 424 ] 425 }, 426 { 427 "method": "FindSchema", 428 "rules": [ 429 { 430 "resource": "Schema", 431 "actions": ["get"], 432 "subjects": ["user:allowed-all"], 433 "clusters": ["*"] 434 }, 435 { 436 "resource": "Schema", 437 "actions": ["get"], 438 "subjects": ["user:allowed-other"], 439 "clusters": ["other"] 440 } 441 ], 442 "request": "&vtadminpb.FindSchemaRequest{\nTable: \"t1\",\n}", 443 "serialize_cases": true, 444 "cases": [ 445 { 446 "name": "unauthorized actor", 447 "actor": {"name": "unauthorized"}, 448 "is_permitted": false, 449 "include_error_var": true, 450 "assertions": [ 451 "assert.Error(t, err)", 452 "assert.Nil(t, resp, $$)" 453 ] 454 }, 455 { 456 "name": "partial access", 457 "actor": {"name": "allowed-other"}, 458 "is_permitted": true, 459 "assertions": [ 460 "assert.NotEmpty(t, resp, $$)" 461 ] 462 }, 463 { 464 "name": "full access", 465 "comment": "because t1 exists in two clusters, and 'allowed-all' has access to both, FindSchema is ambiguous", 466 "actor": {"name": "allowed-all"}, 467 "is_permitted": true, 468 "include_error_var": true, 469 "assertions": [ 470 "assert.Error(t, err)", 471 "assert.Contains(t, err.Error(), \"multiple schemas found\")", 472 "assert.Nil(t, resp)" 473 ] 474 } 475 ] 476 }, 477 { 478 "method": "GetBackups", 479 "rules": [ 480 { 481 "resource": "Backup", 482 "actions": ["get"], 483 "subjects": ["user:allowed-all"], 484 "clusters": ["*"] 485 }, 486 { 487 "resource": "Backup", 488 "actions": ["get"], 489 "subjects": ["user:allowed-other"], 490 "clusters": ["other"] 491 } 492 ], 493 "request": "&vtadminpb.GetBackupsRequest{}", 494 "cases": [ 495 { 496 "name": "unauthorized actor", 497 "actor": {"name": "unauthorized"}, 498 "is_permitted": false, 499 "include_error_var": true, 500 "assertions": [ 501 "assert.NoError(t, err)", 502 "assert.Empty(t, resp.Backups, $$)" 503 ] 504 }, 505 { 506 "name": "partial access", 507 "actor": {"name": "allowed-other"}, 508 "is_permitted": true, 509 "assertions": [ 510 "assert.NotEmpty(t, resp.Backups, $$)", 511 "assert.Len(t, resp.Backups, 3, \"'other' actor should be able to see the 3 backups in cluster 'other'\")" 512 ] 513 }, 514 { 515 "name": "full access", 516 "actor": {"name": "allowed-all"}, 517 "is_permitted": true, 518 "assertions": [ 519 "assert.NotEmpty(t, resp.Backups, $$)", 520 "assert.Len(t, resp.Backups, 4, \"'all' actor should be able to see backups in all clusters\")" 521 ] 522 } 523 ] 524 }, 525 { 526 "method": "GetCellInfos", 527 "rules": [ 528 { 529 "resource": "CellInfo", 530 "actions": ["get"], 531 "subjects": ["user:allowed-all"], 532 "clusters": ["*"] 533 }, 534 { 535 "resource": "CellInfo", 536 "actions": ["get"], 537 "subjects": ["user:allowed-other"], 538 "clusters": ["other"] 539 } 540 ], 541 "request": "&vtadminpb.GetCellInfosRequest{\nNamesOnly: true,\n}", 542 "cases": [ 543 { 544 "name": "unauthorized actor", 545 "actor": {"name": "unauthorized"}, 546 "is_permitted": false, 547 "include_error_var": true, 548 "assertions": [ 549 "assert.NoError(t, err)", 550 "assert.Empty(t, resp.CellInfos, $$)" 551 ] 552 }, 553 { 554 "name": "partial access", 555 "actor": {"name": "allowed-other"}, 556 "is_permitted": true, 557 "assertions": [ 558 "assert.NotEmpty(t, resp.CellInfos, $$)", 559 "assert.ElementsMatch(t, resp.CellInfos, []*vtadminpb.ClusterCellInfo{{Cluster: &vtadminpb.Cluster{Id: \"other\", Name: \"other\"}, Name: \"other1\"}})" 560 ] 561 }, 562 { 563 "name": "full access", 564 "actor": {"name": "allowed-all"}, 565 "is_permitted": true, 566 "assertions": [ 567 "assert.NotEmpty(t, resp.CellInfos, $$)", 568 "assert.ElementsMatch(t, resp.CellInfos, []*vtadminpb.ClusterCellInfo{{Cluster: &vtadminpb.Cluster{Id: \"test\", Name: \"test\"}, Name: \"zone1\"}, {Cluster: &vtadminpb.Cluster{Id: \"other\", Name: \"other\"}, Name: \"other1\"}})" 569 ] 570 } 571 ] 572 }, 573 { 574 "method": "GetCellsAliases", 575 "rules": [ 576 { 577 "resource": "CellsAlias", 578 "actions": ["get"], 579 "subjects": ["user:allowed-all"], 580 "clusters": ["*"] 581 }, 582 { 583 "resource": "CellsAlias", 584 "actions": ["get"], 585 "subjects": ["user:allowed-other"], 586 "clusters": ["other"] 587 } 588 ], 589 "request": "&vtadminpb.GetCellsAliasesRequest{}", 590 "cases": [ 591 { 592 "name": "unauthorized actor", 593 "actor": {"name": "unauthorized"}, 594 "is_permitted": false, 595 "include_error_var": true, 596 "assertions": [ 597 "assert.NoError(t, err)", 598 "assert.Empty(t, resp.Aliases, $$)" 599 ] 600 }, 601 { 602 "name": "partial access", 603 "actor": {"name": "allowed-other"}, 604 "is_permitted": true, 605 "assertions": [ 606 "assert.NotEmpty(t, resp.Aliases, $$)", 607 "assert.ElementsMatch(t, resp.Aliases, []*vtadminpb.ClusterCellsAliases{{Cluster: &vtadminpb.Cluster{Id: \"other\", Name: \"other\"}, Aliases: map[string]*topodatapb.CellsAlias{\"other\": {Cells: []string{\"other1\"}}}}})" 608 ] 609 }, 610 { 611 "name": "full access", 612 "actor": {"name": "allowed-all"}, 613 "is_permitted": true, 614 "assertions": [ 615 "assert.NotEmpty(t, resp.Aliases, $$)", 616 "assert.ElementsMatch(t, resp.Aliases, []*vtadminpb.ClusterCellsAliases{{Cluster: &vtadminpb.Cluster{Id: \"test\", Name: \"test\"}, Aliases: map[string]*topodatapb.CellsAlias{\"zone\": {Cells: []string{\"zone1\"}}}}, {Cluster: &vtadminpb.Cluster{Id: \"other\", Name: \"other\"}, Aliases: map[string]*topodatapb.CellsAlias{\"other\": {Cells: []string{\"other1\"}}}}})" 617 ] 618 } 619 ] 620 }, 621 { 622 "method": "GetClusters", 623 "rules": [ 624 { 625 "resource": "Cluster", 626 "actions": ["get"], 627 "subjects": ["user:allowed"], 628 "clusters": ["*"] 629 } 630 ], 631 "request": "&vtadminpb.GetClustersRequest{}", 632 "cases": [ 633 { 634 "name": "unauthenticated", 635 "actor": null, 636 "assertions": [ 637 "assert.Empty(t, resp.Clusters, $$)" 638 ] 639 }, 640 { 641 "name": "unauthorized actor", 642 "actor": {"name": "other"}, 643 "assertions": [ 644 "assert.Empty(t, resp.Clusters, $$)" 645 ] 646 }, 647 { 648 "name": "authorized actor", 649 "actor": {"name": "allowed"}, 650 "is_permitted": true, 651 "include_error_var": true, 652 "assertions": [ 653 "require.NoError(t, err)", 654 "assert.NotEmpty(t, resp.Clusters, $$)" 655 ] 656 } 657 ] 658 }, 659 { 660 "method": "GetGates", 661 "rules": [ 662 { 663 "resource": "VTGate", 664 "actions": ["get"], 665 "subjects": ["user:allowed-all"], 666 "clusters": ["*"] 667 }, 668 { 669 "resource": "VTGate", 670 "actions": ["get"], 671 "subjects": ["user:allowed-other"], 672 "clusters": ["other"] 673 } 674 ], 675 "request": "&vtadminpb.GetGatesRequest{}", 676 "serialize_cases": true, 677 "cases": [ 678 { 679 "name": "unauthorized actor", 680 "actor": {"name": "unauthorized"}, 681 "is_permitted": false, 682 "include_error_var": true, 683 "assertions": [ 684 "assert.NoError(t, err)", 685 "assert.Empty(t, resp.Gates, $$)" 686 ] 687 }, 688 { 689 "name": "partial access", 690 "actor": {"name": "allowed-other"}, 691 "is_permitted": true, 692 "assertions": [ 693 "assert.NotEmpty(t, resp.Gates, $$)", 694 "// testutil.BuildCluster creates exactly one gate per cluster", 695 "assert.Len(t, resp.Gates, 1, \"actor %+v should only be able to see VTGate from cluster 'other'\", actor)" 696 ] 697 }, 698 { 699 "name": "full access", 700 "actor": {"name": "allowed-all"}, 701 "is_permitted": true, 702 "assertions": [ 703 "assert.NotEmpty(t, resp.Gates, $$)", 704 "// testutil.BuildCluster creates exactly one gate per cluster", 705 "assert.Len(t, resp.Gates, 2, \"actor %+v should be able to see VTGate from all clusters\", actor)" 706 ] 707 } 708 ] 709 }, 710 { 711 "method": "GetKeyspace", 712 "rules": [ 713 { 714 "resource": "Keyspace", 715 "actions": ["get"], 716 "subjects": ["user:allowed"], 717 "clusters": ["*"] 718 } 719 ], 720 "request": "&vtadminpb.GetKeyspaceRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\n}", 721 "cases": [ 722 { 723 "name": "unauthorized actor", 724 "actor": {"name": "other"}, 725 "include_error_var": true, 726 "assertions": [ 727 "require.NoError(t, err)", 728 "assert.Nil(t, resp, $$)" 729 ] 730 }, 731 { 732 "name": "authorized actor", 733 "actor": {"name": "allowed"}, 734 "include_error_var": true, 735 "is_permitted": true, 736 "assertions": [ 737 "require.NoError(t, err)", 738 "assert.NotNil(t, resp, $$)" 739 ] 740 } 741 ] 742 }, 743 { 744 "method": "GetKeyspaces", 745 "rules": [ 746 { 747 "resource": "Keyspace", 748 "actions": ["get"], 749 "subjects": ["user:allowed-all"], 750 "clusters": ["*"] 751 }, 752 { 753 "resource": "Keyspace", 754 "actions": ["get"], 755 "subjects": ["user:allowed-other"], 756 "clusters": ["other"] 757 } 758 ], 759 "request": "&vtadminpb.GetKeyspacesRequest{}", 760 "cases": [ 761 { 762 "name": "unauthorized actor", 763 "actor": {"name": "unauthorized"}, 764 "is_permitted": false, 765 "include_error_var": true, 766 "assertions": [ 767 "assert.NoError(t, err)", 768 "assert.Empty(t, resp.Keyspaces, $$)" 769 ] 770 }, 771 { 772 "name": "partial access", 773 "actor": {"name": "allowed-other"}, 774 "is_permitted": true, 775 "assertions": [ 776 "assert.NotEmpty(t, resp.Keyspaces, $$)", 777 "ksMap := map[string][]string{}", 778 "for _, ks := range resp.Keyspaces {", 779 "if _, ok := ksMap[ks.Cluster.Id]; !ok {\n ksMap[ks.Cluster.Id] = []string{}\n}", 780 "ksMap[ks.Cluster.Id] = append(ksMap[ks.Cluster.Id], ks.Keyspace.Name)", 781 "}", 782 "assert.Equal(t, ksMap, map[string][]string{\"other\": {\"otherks\"}}, $$)" 783 ] 784 }, 785 { 786 "name": "full access", 787 "actor": {"name": "allowed-all"}, 788 "is_permitted": true, 789 "assertions": [ 790 "assert.NotEmpty(t, resp.Keyspaces, $$)", 791 "ksMap := map[string][]string{}", 792 "for _, ks := range resp.Keyspaces {", 793 "if _, ok := ksMap[ks.Cluster.Id]; !ok {\n ksMap[ks.Cluster.Id] = []string{}\n}", 794 "ksMap[ks.Cluster.Id] = append(ksMap[ks.Cluster.Id], ks.Keyspace.Name)", 795 "}", 796 "assert.Equal(t, ksMap, map[string][]string{\"test\": {\"test\"}, \"other\": {\"otherks\"}}, $$)" 797 ] 798 } 799 ] 800 }, 801 { 802 "method": "GetSchema", 803 "rules": [ 804 { 805 "resource": "Schema", 806 "actions": ["get"], 807 "subjects": ["user:allowed"], 808 "clusters": ["*"] 809 } 810 ], 811 "request": "&vtadminpb.GetSchemaRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\nTable: \"t1\",\n}", 812 "serialize_cases": true, 813 "cases": [ 814 { 815 "name": "unauthorized actor", 816 "actor": {"name": "other"}, 817 "include_error_var": true, 818 "assertions": [ 819 "require.NoError(t, err)", 820 "assert.Nil(t, resp, $$)" 821 ] 822 }, 823 { 824 "name": "authorized actor", 825 "actor": {"name": "allowed"}, 826 "include_error_var": true, 827 "is_permitted": true, 828 "assertions": [ 829 "require.NoError(t, err)", 830 "assert.NotNil(t, resp, $$)" 831 ] 832 } 833 ] 834 }, 835 { 836 "method": "GetSchemas", 837 "rules": [ 838 { 839 "resource": "Schema", 840 "actions": ["get"], 841 "subjects": ["user:allowed-all"], 842 "clusters": ["*"] 843 }, 844 { 845 "resource": "Schema", 846 "actions": ["get"], 847 "subjects": ["user:allowed-other"], 848 "clusters": ["other"] 849 } 850 ], 851 "request": "&vtadminpb.GetSchemasRequest{}", 852 "serialize_cases": true, 853 "cases": [ 854 { 855 "name": "unauthorized actor", 856 "actor": {"name": "unauthorized"}, 857 "is_permitted": false, 858 "include_error_var": true, 859 "assertions": [ 860 "assert.NoError(t, err)", 861 "assert.Empty(t, resp.Schemas, $$)" 862 ] 863 }, 864 { 865 "name": "partial access", 866 "actor": {"name": "allowed-other"}, 867 "is_permitted": true, 868 "assertions": [ 869 "assert.NotEmpty(t, resp.Schemas, $$)", 870 "schemaMap := map[string][]string{}", 871 "for _, schema := range resp.Schemas {", 872 "if _, ok := schemaMap[schema.Cluster.Id]; !ok {\n schemaMap[schema.Cluster.Id] = []string{}\n}", 873 "schemaMap[schema.Cluster.Id] = append(schemaMap[schema.Cluster.Id], schema.Keyspace)", 874 "}", 875 "assert.Equal(t, schemaMap, map[string][]string{\"other\": {\"otherks\"}}, $$)" 876 ] 877 }, 878 { 879 "name": "full access", 880 "actor": {"name": "allowed-all"}, 881 "is_permitted": true, 882 "assertions": [ 883 "assert.NotEmpty(t, resp.Schemas, $$)", 884 "schemaMap := map[string][]string{}", 885 "for _, schema := range resp.Schemas {", 886 "if _, ok := schemaMap[schema.Cluster.Id]; !ok {\n schemaMap[schema.Cluster.Id] = []string{}\n}", 887 "schemaMap[schema.Cluster.Id] = append(schemaMap[schema.Cluster.Id], schema.Keyspace)", 888 "}", 889 "assert.Equal(t, schemaMap, map[string][]string{\"test\": {\"test\"}, \"other\": {\"otherks\"}}, $$)" 890 ] 891 } 892 ] 893 }, 894 { 895 "method": "GetShardReplicationPositions", 896 "rules": [ 897 { 898 "resource": "ShardReplicationPosition", 899 "actions": ["get"], 900 "subjects": ["user:allowed-all"], 901 "clusters": ["*"] 902 }, 903 { 904 "resource": "ShardReplicationPosition", 905 "actions": ["get"], 906 "subjects": ["user:allowed-other"], 907 "clusters": ["other"] 908 } 909 ], 910 "request": "&vtadminpb.GetShardReplicationPositionsRequest{}", 911 "cases": [ 912 { 913 "name": "unauthorized actor", 914 "actor": {"name": "unauthorized"}, 915 "is_permitted": false, 916 "include_error_var": true, 917 "assertions": [ 918 "assert.NoError(t, err)", 919 "assert.Empty(t, resp.ReplicationPositions, $$)" 920 ] 921 }, 922 { 923 "name": "partial access", 924 "actor": {"name": "allowed-other"}, 925 "is_permitted": true, 926 "assertions": [ 927 "assert.NotEmpty(t, resp.ReplicationPositions, $$)", 928 "posMap := map[string][]string{}", 929 "for _, pos := range resp.ReplicationPositions {", 930 "if _, ok := posMap[pos.Cluster.Id]; !ok {\n posMap[pos.Cluster.Id] = []string{}\n}", 931 "posMap[pos.Cluster.Id] = append(posMap[pos.Cluster.Id], fmt.Sprintf(\"%s/%s\", pos.Keyspace, pos.Shard))", 932 "}", 933 "assert.Equal(t, posMap, map[string][]string{\"other\": {\"otherks/-\"}}, $$)" 934 ] 935 }, 936 { 937 "name": "full access", 938 "actor": {"name": "allowed-all"}, 939 "is_permitted": true, 940 "assertions": [ 941 "assert.NotEmpty(t, resp.ReplicationPositions, $$)", 942 "posMap := map[string][]string{}", 943 "for _, pos := range resp.ReplicationPositions {", 944 "if _, ok := posMap[pos.Cluster.Id]; !ok {\n posMap[pos.Cluster.Id] = []string{}\n}", 945 "posMap[pos.Cluster.Id] = append(posMap[pos.Cluster.Id], fmt.Sprintf(\"%s/%s\", pos.Keyspace, pos.Shard))", 946 "}", 947 "assert.Equal(t, posMap, map[string][]string{\"test\": {\"test/-\"}, \"other\": {\"otherks/-\"}}, $$)" 948 ] 949 } 950 ] 951 }, 952 { 953 "method": "GetSrvVSchema", 954 "rules": [ 955 { 956 "resource": "SrvVSchema", 957 "actions": ["get"], 958 "subjects": ["user:allowed"], 959 "clusters": ["*"] 960 } 961 ], 962 "request": "&vtadminpb.GetSrvVSchemaRequest{\nClusterId: \"test\",\nCell: \"zone1\",\n}", 963 "cases": [ 964 { 965 "name": "unauthorized actor", 966 "actor": {"name": "other"}, 967 "include_error_var": true, 968 "assertions": [ 969 "require.NoError(t, err)", 970 "assert.Nil(t, resp, $$)" 971 ] 972 }, 973 { 974 "name": "authorized actor", 975 "actor": {"name": "allowed"}, 976 "include_error_var": true, 977 "is_permitted": true, 978 "assertions": [ 979 "require.NoError(t, err)", 980 "assert.NotNil(t, resp, $$)" 981 ] 982 } 983 ] 984 }, 985 { 986 "method": "GetSrvVSchemas", 987 "rules": [ 988 { 989 "resource": "SrvVSchema", 990 "actions": ["get"], 991 "subjects": ["user:allowed-all"], 992 "clusters": ["*"] 993 }, 994 { 995 "resource": "SrvVSchema", 996 "actions": ["get"], 997 "subjects": ["user:allowed-other"], 998 "clusters": ["other"] 999 } 1000 ], 1001 "request": "&vtadminpb.GetSrvVSchemasRequest{}", 1002 "cases": [ 1003 { 1004 "name": "unauthorized actor", 1005 "actor": {"name": "unauthorized"}, 1006 "include_error_var": true, 1007 "assertions": [ 1008 "require.NoError(t, err)", 1009 "assert.Nil(t, resp.SrvVSchemas, $$)" 1010 ] 1011 }, 1012 { 1013 "name": "partial access", 1014 "actor": {"name": "allowed-other"}, 1015 "is_permitted": true, 1016 "assertions": [ 1017 "assert.NotEmpty(t, resp.SrvVSchemas, $$)", 1018 "clusterCells := map[string][]string{}", 1019 "for _, svs := range resp.SrvVSchemas {", 1020 "if _, ok := clusterCells[svs.Cluster.Id]; !ok {\nclusterCells[svs.Cluster.Id] = []string{}\n}", 1021 "clusterCells[svs.Cluster.Id] = append(clusterCells[svs.Cluster.Id], svs.Cell)", 1022 "}", 1023 "assert.Equal(t, clusterCells, map[string][]string{\"other\": {\"other1\"}}, $$)" 1024 ] 1025 }, 1026 { 1027 "name": "full access", 1028 "actor": {"name": "allowed-all"}, 1029 "is_permitted": true, 1030 "assertions": [ 1031 "assert.NotEmpty(t, resp.SrvVSchemas, $$)", 1032 "clusterCells := map[string][]string{}", 1033 "for _, svs := range resp.SrvVSchemas {", 1034 "if _, ok := clusterCells[svs.Cluster.Id]; !ok {\nclusterCells[svs.Cluster.Id] = []string{}\n}", 1035 "clusterCells[svs.Cluster.Id] = append(clusterCells[svs.Cluster.Id], svs.Cell)", 1036 "}", 1037 "assert.Equal(t, clusterCells, map[string][]string{\"test\": {\"zone1\"}, \"other\": {\"other1\"}}, $$)" 1038 ] 1039 } 1040 ] 1041 }, 1042 { 1043 "method": "GetTablet", 1044 "rules": [ 1045 { 1046 "resource": "Tablet", 1047 "actions": ["get"], 1048 "subjects": ["user:allowed"], 1049 "clusters": ["*"] 1050 } 1051 ], 1052 "request": "&vtadminpb.GetTabletRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1053 "cases": [ 1054 { 1055 "name": "unauthorized actor", 1056 "actor": {"name": "other"}, 1057 "include_error_var": true, 1058 "assertions": [ 1059 "assert.Error(t, err, $$)", 1060 "assert.Nil(t, resp, $$)" 1061 ] 1062 }, 1063 { 1064 "name": "authorized actor", 1065 "actor": {"name": "allowed"}, 1066 "include_error_var": true, 1067 "is_permitted": true, 1068 "assertions": [ 1069 "require.NoError(t, err)", 1070 "assert.NotNil(t, resp, $$)" 1071 ] 1072 } 1073 ] 1074 }, 1075 { 1076 "method": "GetTablets", 1077 "rules": [ 1078 { 1079 "resource": "Tablet", 1080 "actions": ["get"], 1081 "subjects": ["user:allowed-all"], 1082 "clusters": ["*"] 1083 }, 1084 { 1085 "resource": "Tablet", 1086 "actions": ["get"], 1087 "subjects": ["user:allowed-other"], 1088 "clusters": ["other"] 1089 } 1090 ], 1091 "request": "&vtadminpb.GetTabletsRequest{}", 1092 "cases": [ 1093 { 1094 "name": "unauthorized actor", 1095 "actor": {"name": "unauthorized"}, 1096 "include_error_var": true, 1097 "assertions": [ 1098 "require.NoError(t, err)", 1099 "assert.Nil(t, resp.Tablets, $$)" 1100 ] 1101 }, 1102 { 1103 "name": "partial access", 1104 "actor": {"name": "allowed-other"}, 1105 "is_permitted": true, 1106 "assertions": [ 1107 "assert.NotEmpty(t, resp.Tablets, $$)", 1108 "clusterAliases := map[string][]string{}", 1109 "for _, tablet := range resp.Tablets {", 1110 "if _, ok := clusterAliases[tablet.Cluster.Id]; !ok {\nclusterAliases[tablet.Cluster.Id] = []string{}\n}", 1111 "clusterAliases[tablet.Cluster.Id] = append(clusterAliases[tablet.Cluster.Id], topoproto.TabletAliasString(tablet.Tablet.Alias))", 1112 "}", 1113 "assert.Equal(t, clusterAliases, map[string][]string{\"other\": {\"other1-0000000100\"}}, $$)" 1114 ] 1115 }, 1116 { 1117 "name": "full access", 1118 "actor": {"name": "allowed-all"}, 1119 "is_permitted": true, 1120 "assertions": [ 1121 "assert.NotEmpty(t, resp.Tablets, $$)", 1122 "clusterAliases := map[string][]string{}", 1123 "for _, tablet := range resp.Tablets {", 1124 "if _, ok := clusterAliases[tablet.Cluster.Id]; !ok {\nclusterAliases[tablet.Cluster.Id] = []string{}\n}", 1125 "clusterAliases[tablet.Cluster.Id] = append(clusterAliases[tablet.Cluster.Id], topoproto.TabletAliasString(tablet.Tablet.Alias))", 1126 "}", 1127 "assert.Equal(t, clusterAliases, map[string][]string{\"test\": {\"zone1-0000000100\"}, \"other\": {\"other1-0000000100\"}}, $$)" 1128 ] 1129 } 1130 ] 1131 }, 1132 { 1133 "method": "GetVSchema", 1134 "rules": [ 1135 { 1136 "resource": "VSchema", 1137 "actions": ["get"], 1138 "subjects": ["user:allowed"], 1139 "clusters": ["*"] 1140 } 1141 ], 1142 "request": "&vtadminpb.GetVSchemaRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\n}", 1143 "cases": [ 1144 { 1145 "name": "unauthorized actor", 1146 "actor": {"name": "other"}, 1147 "include_error_var": true, 1148 "assertions": [ 1149 "require.NoError(t, err)", 1150 "assert.Nil(t, resp, $$)" 1151 ] 1152 }, 1153 { 1154 "name": "authorized actor", 1155 "actor": {"name": "allowed"}, 1156 "include_error_var": true, 1157 "is_permitted": true, 1158 "assertions": [ 1159 "require.NoError(t, err)", 1160 "assert.NotNil(t, resp, $$)" 1161 ] 1162 } 1163 ] 1164 }, 1165 { 1166 "method": "GetVSchemas", 1167 "rules": [ 1168 { 1169 "resource": "VSchema", 1170 "actions": ["get"], 1171 "subjects": ["user:allowed-all"], 1172 "clusters": ["*"] 1173 }, 1174 { 1175 "resource": "VSchema", 1176 "actions": ["get"], 1177 "subjects": ["user:allowed-other"], 1178 "clusters": ["other"] 1179 } 1180 ], 1181 "request": "&vtadminpb.GetVSchemasRequest{}", 1182 "cases": [ 1183 { 1184 "name": "unauthorized actor", 1185 "actor": {"name": "unauthorized"}, 1186 "include_error_var": true, 1187 "assertions": [ 1188 "require.NoError(t, err)", 1189 "assert.Nil(t, resp.VSchemas, $$)" 1190 ] 1191 }, 1192 { 1193 "name": "partial access", 1194 "actor": {"name": "allowed-other"}, 1195 "is_permitted": true, 1196 "assertions": [ 1197 "assert.NotEmpty(t, resp.VSchemas, $$)", 1198 "clusterKeyspaces := map[string][]string{}", 1199 "for _, vs := range resp.VSchemas {", 1200 "if _, ok := clusterKeyspaces[vs.Cluster.Id]; !ok {\nclusterKeyspaces[vs.Cluster.Id] = []string{}\n}", 1201 "clusterKeyspaces[vs.Cluster.Id] = append(clusterKeyspaces[vs.Cluster.Id], vs.Name)", 1202 "}", 1203 "assert.Equal(t, clusterKeyspaces, map[string][]string{\"other\": {\"otherks\"}}, $$)" 1204 ] 1205 }, 1206 { 1207 "name": "full access", 1208 "actor": {"name": "allowed-all"}, 1209 "is_permitted": true, 1210 "assertions": [ 1211 "assert.NotEmpty(t, resp.VSchemas, $$)", 1212 "clusterKeyspaces := map[string][]string{}", 1213 "for _, vs := range resp.VSchemas {", 1214 "if _, ok := clusterKeyspaces[vs.Cluster.Id]; !ok {\nclusterKeyspaces[vs.Cluster.Id] = []string{}\n}", 1215 "clusterKeyspaces[vs.Cluster.Id] = append(clusterKeyspaces[vs.Cluster.Id], vs.Name)", 1216 "}", 1217 "assert.Equal(t, clusterKeyspaces, map[string][]string{\"test\": {\"test\"}, \"other\": {\"otherks\"}}, $$)" 1218 ] 1219 } 1220 ] 1221 }, 1222 { 1223 "method": "GetVtctlds", 1224 "rules": [ 1225 { 1226 "resource": "Vtctld", 1227 "actions": ["get"], 1228 "subjects": ["user:allowed-all"], 1229 "clusters": ["*"] 1230 }, 1231 { 1232 "resource": "Vtctld", 1233 "actions": ["get"], 1234 "subjects": ["user:allowed-other"], 1235 "clusters": ["other"] 1236 } 1237 ], 1238 "request": "&vtadminpb.GetVtctldsRequest{}", 1239 "serialize_cases": true, 1240 "cases": [ 1241 { 1242 "name": "unauthorized actor", 1243 "actor": {"name": "unauthorized"}, 1244 "is_permitted": false, 1245 "include_error_var": true, 1246 "assertions": [ 1247 "assert.NoError(t, err)", 1248 "assert.Empty(t, resp.Vtctlds, $$)" 1249 ] 1250 }, 1251 { 1252 "name": "partial access", 1253 "actor": {"name": "allowed-other"}, 1254 "is_permitted": true, 1255 "assertions": [ 1256 "assert.NotEmpty(t, resp.Vtctlds, $$)", 1257 "// testutil.BuildCluster creates exactly one gate per cluster", 1258 "assert.Len(t, resp.Vtctlds, 1, \"actor %+v should only be able to see Vtctld from cluster 'other'\", actor)" 1259 ] 1260 }, 1261 { 1262 "name": "full access", 1263 "actor": {"name": "allowed-all"}, 1264 "is_permitted": true, 1265 "assertions": [ 1266 "assert.NotEmpty(t, resp.Vtctlds, $$)", 1267 "// testutil.BuildCluster creates exactly one gate per cluster", 1268 "assert.Len(t, resp.Vtctlds, 2, \"actor %+v should be able to see Vtctld from all clusters\", actor)" 1269 ] 1270 } 1271 ] 1272 }, 1273 { 1274 "method": "GetWorkflow", 1275 "rules": [ 1276 { 1277 "resource": "Workflow", 1278 "actions": ["get"], 1279 "subjects": ["user:allowed"], 1280 "clusters": ["*"] 1281 } 1282 ], 1283 "request": "&vtadminpb.GetWorkflowRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\nName: \"testworkflow\",\n}", 1284 "cases": [ 1285 { 1286 "name": "unauthorized actor", 1287 "actor": {"name": "other"}, 1288 "include_error_var": true, 1289 "assertions": [ 1290 "require.NoError(t, err)", 1291 "assert.Nil(t, resp, $$)" 1292 ] 1293 }, 1294 { 1295 "name": "authorized actor", 1296 "actor": {"name": "allowed"}, 1297 "include_error_var": true, 1298 "is_permitted": true, 1299 "assertions": [ 1300 "require.NoError(t, err)", 1301 "assert.NotNil(t, resp, $$)" 1302 ] 1303 } 1304 ] 1305 }, 1306 { 1307 "method": "GetWorkflows", 1308 "rules": [ 1309 { 1310 "resource": "Workflow", 1311 "actions": ["get"], 1312 "subjects": ["user:allowed-all"], 1313 "clusters": ["*"] 1314 }, 1315 { 1316 "resource": "Workflow", 1317 "actions": ["get"], 1318 "subjects": ["user:allowed-other"], 1319 "clusters": ["other"] 1320 } 1321 ], 1322 "request": "&vtadminpb.GetWorkflowsRequest{}", 1323 "cases": [ 1324 { 1325 "name": "unauthorized actor", 1326 "actor": {"name": "unauthorized"}, 1327 "include_error_var": true, 1328 "assertions": [ 1329 "require.NoError(t, err)", 1330 "assert.Empty(t, resp.WorkflowsByCluster, $$)" 1331 ] 1332 }, 1333 { 1334 "name": "partial access", 1335 "actor": {"name": "allowed-other"}, 1336 "is_permitted": true, 1337 "assertions": [ 1338 "assert.NotEmpty(t, resp.WorkflowsByCluster, $$)", 1339 "assert.Equal(t, resp.WorkflowsByCluster, map[string]*vtadminpb.ClusterWorkflows{\"other\": {Workflows: []*vtadminpb.Workflow{{Cluster: &vtadminpb.Cluster{Id: \"other\", Name: \"other\"}, Keyspace: \"otherks\", Workflow: &vtctldatapb.Workflow{Name: \"otherks_workflow\"}}}}}, $$)" 1340 ] 1341 }, 1342 { 1343 "name": "full access", 1344 "actor": {"name": "allowed-all"}, 1345 "is_permitted": true, 1346 "assertions": [ 1347 "assert.NotEmpty(t, resp.WorkflowsByCluster, $$)", 1348 "assert.Equal(t, resp.WorkflowsByCluster, map[string]*vtadminpb.ClusterWorkflows{\"test\": {Workflows: []*vtadminpb.Workflow{{Cluster: &vtadminpb.Cluster{Id: \"test\", Name: \"test\"}, Keyspace: \"test\", Workflow: &vtctldatapb.Workflow{Name: \"testworkflow\"}}}}, \"other\": {Workflows: []*vtadminpb.Workflow{{Cluster: &vtadminpb.Cluster{Id: \"other\", Name: \"other\"}, Keyspace: \"otherks\", Workflow: &vtctldatapb.Workflow{Name: \"otherks_workflow\"}}}}}, $$)" 1349 ] 1350 } 1351 ] 1352 }, 1353 { 1354 "method": "PingTablet", 1355 "rules": [ 1356 { 1357 "resource": "Tablet", 1358 "actions": ["ping"], 1359 "subjects": ["user:allowed"], 1360 "clusters": ["*"] 1361 } 1362 ], 1363 "request": "&vtadminpb.PingTabletRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1364 "cases": [ 1365 { 1366 "name": "unauthorized actor", 1367 "actor": {"name": "other"}, 1368 "include_error_var": true, 1369 "assertions": [ 1370 "assert.Error(t, err, $$)", 1371 "assert.Nil(t, resp, $$)" 1372 ] 1373 }, 1374 { 1375 "name": "authorized actor", 1376 "actor": {"name": "allowed"}, 1377 "include_error_var": true, 1378 "is_permitted": true, 1379 "assertions": [ 1380 "require.NoError(t, err)", 1381 "assert.NotNil(t, resp, $$)" 1382 ] 1383 } 1384 ] 1385 }, 1386 { 1387 "method": "PlannedFailoverShard", 1388 "rules": [ 1389 { 1390 "resource": "Shard", 1391 "actions": ["planned_failover_shard"], 1392 "subjects": ["user:allowed"], 1393 "clusters": ["*"] 1394 } 1395 ], 1396 "request": "&vtadminpb.PlannedFailoverShardRequest{\nClusterId: \"test\",\nOptions: &vtctldatapb.PlannedReparentShardRequest{\nKeyspace: \"test\",\nShard: \"-\",\n},\n}", 1397 "cases": [ 1398 { 1399 "name": "unauthorized actor", 1400 "actor": {"name": "other"}, 1401 "include_error_var": true, 1402 "assertions": [ 1403 "require.NoError(t, err)", 1404 "assert.Nil(t, resp, $$)" 1405 ] 1406 }, 1407 { 1408 "name": "authorized actor", 1409 "actor": {"name": "allowed"}, 1410 "include_error_var": true, 1411 "is_permitted": true, 1412 "assertions": [ 1413 "require.NoError(t, err)", 1414 "assert.NotNil(t, resp, $$)" 1415 ] 1416 } 1417 ] 1418 }, 1419 { 1420 "method": "RefreshState", 1421 "rules": [ 1422 { 1423 "resource": "Tablet", 1424 "actions": ["put"], 1425 "subjects": ["user:allowed"], 1426 "clusters": ["*"] 1427 } 1428 ], 1429 "request": "&vtadminpb.RefreshStateRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1430 "cases": [ 1431 { 1432 "name": "unauthorized actor", 1433 "actor": {"name": "other"}, 1434 "include_error_var": true, 1435 "assertions": [ 1436 "assert.Error(t, err, $$)", 1437 "assert.Nil(t, resp, $$)" 1438 ] 1439 }, 1440 { 1441 "name": "authorized actor", 1442 "actor": {"name": "allowed"}, 1443 "include_error_var": true, 1444 "is_permitted": true, 1445 "assertions": [ 1446 "require.NoError(t, err)", 1447 "assert.NotNil(t, resp, $$)" 1448 ] 1449 } 1450 ] 1451 }, 1452 { 1453 "method": "RefreshTabletReplicationSource", 1454 "rules": [ 1455 { 1456 "resource": "Tablet", 1457 "actions": ["refresh_tablet_replication_source"], 1458 "subjects": ["user:allowed"], 1459 "clusters": ["*"] 1460 } 1461 ], 1462 "request": "&vtadminpb.RefreshTabletReplicationSourceRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1463 "cases": [ 1464 { 1465 "name": "unauthorized actor", 1466 "actor": {"name": "other"}, 1467 "include_error_var": true, 1468 "assertions": [ 1469 "assert.Error(t, err, $$)", 1470 "assert.Nil(t, resp, $$)" 1471 ] 1472 }, 1473 { 1474 "name": "authorized actor", 1475 "actor": {"name": "allowed"}, 1476 "include_error_var": true, 1477 "is_permitted": true, 1478 "assertions": [ 1479 "require.NoError(t, err)", 1480 "assert.NotNil(t, resp, $$)" 1481 ] 1482 } 1483 ] 1484 }, 1485 { 1486 "method": "ReloadSchemas", 1487 "rules": [ 1488 { 1489 "resource": "Schema", 1490 "actions": ["reload"], 1491 "subjects": ["user:allowed-all"], 1492 "clusters": ["*"] 1493 }, 1494 { 1495 "resource": "Schema", 1496 "actions": ["reload"], 1497 "subjects": ["user:allowed-other"], 1498 "clusters": ["other"] 1499 } 1500 ], 1501 "request": "&vtadminpb.ReloadSchemasRequest{\nKeyspaces: []string{\n\"test\",\n\"otherks\",\n},\n}", 1502 "cases": [ 1503 { 1504 "name": "unauthorized actor", 1505 "actor": {"name": "unauthorized"}, 1506 "include_error_var": true, 1507 "assertions": [ 1508 "require.NoError(t, err)", 1509 "assert.Empty(t, resp.KeyspaceResults, $$)" 1510 ] 1511 }, 1512 { 1513 "name": "partial access", 1514 "actor": {"name": "allowed-other"}, 1515 "is_permitted": true, 1516 "assertions": [ 1517 "assert.NotEmpty(t, resp.KeyspaceResults, $$)" 1518 ] 1519 }, 1520 { 1521 "name": "full access", 1522 "actor": {"name": "allowed-all"}, 1523 "is_permitted": true, 1524 "assertions": [ 1525 "assert.NotEmpty(t, resp.KeyspaceResults, $$)" 1526 ] 1527 } 1528 ] 1529 }, 1530 { 1531 "method": "RunHealthCheck", 1532 "rules": [ 1533 { 1534 "resource": "Tablet", 1535 "actions": ["get"], 1536 "subjects": ["user:allowed"], 1537 "clusters": ["*"] 1538 } 1539 ], 1540 "request": "&vtadminpb.RunHealthCheckRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1541 "cases": [ 1542 { 1543 "name": "unauthorized actor", 1544 "actor": {"name": "other"}, 1545 "include_error_var": true, 1546 "assertions": [ 1547 "assert.Error(t, err, $$)", 1548 "assert.Nil(t, resp, $$)" 1549 ] 1550 }, 1551 { 1552 "name": "authorized actor", 1553 "actor": {"name": "allowed"}, 1554 "include_error_var": true, 1555 "is_permitted": true, 1556 "assertions": [ 1557 "require.NoError(t, err)", 1558 "assert.NotNil(t, resp, $$)" 1559 ] 1560 } 1561 ] 1562 }, 1563 { 1564 "method": "SetReadOnly", 1565 "rules": [ 1566 { 1567 "resource": "Tablet", 1568 "actions": ["manage_tablet_writability"], 1569 "subjects": ["user:allowed"], 1570 "clusters": ["*"] 1571 } 1572 ], 1573 "request": "&vtadminpb.SetReadOnlyRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1574 "cases": [ 1575 { 1576 "name": "unauthorized actor", 1577 "actor": {"name": "other"}, 1578 "include_error_var": true, 1579 "assertions": [ 1580 "assert.Error(t, err, $$)", 1581 "assert.Nil(t, resp, $$)" 1582 ] 1583 }, 1584 { 1585 "name": "authorized actor", 1586 "actor": {"name": "allowed"}, 1587 "include_error_var": true, 1588 "is_permitted": true, 1589 "assertions": [ 1590 "require.NoError(t, err)", 1591 "assert.NotNil(t, resp, $$)" 1592 ] 1593 } 1594 ] 1595 }, 1596 { 1597 "method": "SetReadWrite", 1598 "rules": [ 1599 { 1600 "resource": "Tablet", 1601 "actions": ["manage_tablet_writability"], 1602 "subjects": ["user:allowed"], 1603 "clusters": ["*"] 1604 } 1605 ], 1606 "request": "&vtadminpb.SetReadWriteRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1607 "cases": [ 1608 { 1609 "name": "unauthorized actor", 1610 "actor": {"name": "other"}, 1611 "include_error_var": true, 1612 "assertions": [ 1613 "assert.Error(t, err, $$)", 1614 "assert.Nil(t, resp, $$)" 1615 ] 1616 }, 1617 { 1618 "name": "authorized actor", 1619 "actor": {"name": "allowed"}, 1620 "include_error_var": true, 1621 "is_permitted": true, 1622 "assertions": [ 1623 "require.NoError(t, err)", 1624 "assert.NotNil(t, resp, $$)" 1625 ] 1626 } 1627 ] 1628 }, 1629 { 1630 "method": "StartReplication", 1631 "rules": [ 1632 { 1633 "resource": "Tablet", 1634 "actions": ["manage_tablet_replication"], 1635 "subjects": ["user:allowed"], 1636 "clusters": ["*"] 1637 } 1638 ], 1639 "request": "&vtadminpb.StartReplicationRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1640 "cases": [ 1641 { 1642 "name": "unauthorized actor", 1643 "actor": {"name": "other"}, 1644 "include_error_var": true, 1645 "assertions": [ 1646 "assert.Error(t, err, $$)", 1647 "assert.Nil(t, resp, $$)" 1648 ] 1649 }, 1650 { 1651 "name": "authorized actor", 1652 "actor": {"name": "allowed"}, 1653 "include_error_var": true, 1654 "is_permitted": true, 1655 "assertions": [ 1656 "require.NoError(t, err)", 1657 "assert.NotNil(t, resp, $$)" 1658 ] 1659 } 1660 ] 1661 }, 1662 { 1663 "method": "StopReplication", 1664 "rules": [ 1665 { 1666 "resource": "Tablet", 1667 "actions": ["manage_tablet_replication"], 1668 "subjects": ["user:allowed"], 1669 "clusters": ["*"] 1670 } 1671 ], 1672 "request": "&vtadminpb.StopReplicationRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1673 "cases": [ 1674 { 1675 "name": "unauthorized actor", 1676 "actor": {"name": "other"}, 1677 "include_error_var": true, 1678 "assertions": [ 1679 "assert.Error(t, err, $$)", 1680 "assert.Nil(t, resp, $$)" 1681 ] 1682 }, 1683 { 1684 "name": "authorized actor", 1685 "actor": {"name": "allowed"}, 1686 "include_error_var": true, 1687 "is_permitted": true, 1688 "assertions": [ 1689 "require.NoError(t, err)", 1690 "assert.NotNil(t, resp, $$)" 1691 ] 1692 } 1693 ] 1694 }, 1695 { 1696 "method": "TabletExternallyPromoted", 1697 "rules": [ 1698 { 1699 "resource": "Shard", 1700 "actions": ["tablet_externally_promoted"], 1701 "subjects": ["user:allowed"], 1702 "clusters": ["*"] 1703 } 1704 ], 1705 "request": "&vtadminpb.TabletExternallyPromotedRequest{\nAlias: &topodatapb.TabletAlias{\nCell: \"zone1\",\nUid: 100,\n},\n}", 1706 "cases": [ 1707 { 1708 "name": "unauthorized actor", 1709 "actor": {"name": "other"}, 1710 "include_error_var": true, 1711 "assertions": [ 1712 "assert.Error(t, err, $$)", 1713 "assert.Nil(t, resp, $$)" 1714 ] 1715 }, 1716 { 1717 "name": "authorized actor", 1718 "actor": {"name": "allowed"}, 1719 "include_error_var": true, 1720 "is_permitted": true, 1721 "assertions": [ 1722 "require.NoError(t, err)", 1723 "assert.NotNil(t, resp, $$)" 1724 ] 1725 } 1726 ] 1727 }, 1728 { 1729 "method": "VTExplain", 1730 "rules": [ 1731 { 1732 "resource": "VTExplain", 1733 "actions": ["get"], 1734 "subjects": ["user:allowed"], 1735 "clusters": ["*"] 1736 } 1737 ], 1738 "request": "&vtadminpb.VTExplainRequest{\nCluster: \"test\",\nKeyspace: \"test\",\nSql: \"select id from t1;\",}", 1739 "cases": [ 1740 { 1741 "name": "unauthorized actor", 1742 "actor": {"name": "other"}, 1743 "include_error_var": true, 1744 "assertions": [ 1745 "require.NoError(t, err)", 1746 "assert.Nil(t, resp, $$)" 1747 ] 1748 }, 1749 { 1750 "name": "authorized actor", 1751 "actor": {"name": "allowed"}, 1752 "include_error_var": true, 1753 "is_permitted": true, 1754 "assertions": [ 1755 "require.NoError(t, err)", 1756 "assert.NotNil(t, resp, $$)" 1757 ] 1758 } 1759 ] 1760 }, 1761 { 1762 "method": "ValidateKeyspace", 1763 "rules": [ 1764 { 1765 "resource": "Keyspace", 1766 "actions": ["put"], 1767 "subjects": ["user:allowed"], 1768 "clusters": ["*"] 1769 } 1770 ], 1771 "request": "&vtadminpb.ValidateKeyspaceRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\n}", 1772 "cases": [ 1773 { 1774 "name": "unauthorized actor", 1775 "actor": {"name": "other"}, 1776 "include_error_var": true, 1777 "assertions": [ 1778 "require.NoError(t, err)", 1779 "assert.Nil(t, resp, $$)" 1780 ] 1781 }, 1782 { 1783 "name": "authorized actor", 1784 "actor": {"name": "allowed"}, 1785 "include_error_var": true, 1786 "is_permitted": true, 1787 "assertions": [ 1788 "require.NoError(t, err)", 1789 "assert.NotNil(t, resp, $$)" 1790 ] 1791 } 1792 ] 1793 }, 1794 { 1795 "method": "ValidateSchemaKeyspace", 1796 "rules": [ 1797 { 1798 "resource": "Keyspace", 1799 "actions": ["put"], 1800 "subjects": ["user:allowed"], 1801 "clusters": ["*"] 1802 } 1803 ], 1804 "request": "&vtadminpb.ValidateSchemaKeyspaceRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\n}", 1805 "cases": [ 1806 { 1807 "name": "unauthorized actor", 1808 "actor": {"name": "other"}, 1809 "include_error_var": true, 1810 "assertions": [ 1811 "require.NoError(t, err)", 1812 "assert.Nil(t, resp, $$)" 1813 ] 1814 }, 1815 { 1816 "name": "authorized actor", 1817 "actor": {"name": "allowed"}, 1818 "include_error_var": true, 1819 "is_permitted": true, 1820 "assertions": [ 1821 "require.NoError(t, err)", 1822 "assert.NotNil(t, resp, $$)" 1823 ] 1824 } 1825 ] 1826 }, 1827 { 1828 "method": "ValidateVersionKeyspace", 1829 "rules": [ 1830 { 1831 "resource": "Keyspace", 1832 "actions": ["put"], 1833 "subjects": ["user:allowed"], 1834 "clusters": ["*"] 1835 } 1836 ], 1837 "request": "&vtadminpb.ValidateVersionKeyspaceRequest{\nClusterId: \"test\",\nKeyspace: \"test\",\n}", 1838 "cases": [ 1839 { 1840 "name": "unauthorized actor", 1841 "actor": {"name": "other"}, 1842 "include_error_var": true, 1843 "assertions": [ 1844 "require.NoError(t, err)", 1845 "assert.Nil(t, resp, $$)" 1846 ] 1847 }, 1848 { 1849 "name": "authorized actor", 1850 "actor": {"name": "allowed"}, 1851 "include_error_var": true, 1852 "is_permitted": true, 1853 "assertions": [ 1854 "require.NoError(t, err)", 1855 "assert.NotNil(t, resp, $$)" 1856 ] 1857 } 1858 ] 1859 } 1860 ] 1861 }