sync

Author: dadgar

acl/acl.go

@@ -47,6 +47,7 @@ type ACL struct {
 	agent    string
 	node     string
 	operator string
+	quota    string
 }
 
 // maxPrivilege returns the policy which grants the most privilege
@@ -115,6 +116,9 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
 		if policy.Operator != nil {
 			acl.operator = maxPrivilege(acl.operator, policy.Operator.Policy)
 		}
+		if policy.Quota != nil {
+			acl.quota = maxPrivilege(acl.quota, policy.Quota.Policy)
+		}
 	}
 
 	// Finalize the namespaces
@@ -145,6 +149,28 @@ func (a *ACL) AllowNamespaceOperation(ns string, op string) bool {
 	return capabilities.Check(op)
 }
 
+// AllowNamespace checks if any operations are allowed for a namespace
+func (a *ACL) AllowNamespace(ns string) bool {
+	// Hot path management tokens
+	if a.management {
+		return true
+	}
+
+	// Check for a matching capability set
+	raw, ok := a.namespaces.Get([]byte(ns))
+	if !ok {
+		return false
+	}
+
+	// Check if the capability has been granted
+	capabilities := raw.(capabilitySet)
+	if len(capabilities) == 0 {
+		return false
+	}
+
+	return !capabilities.Check(PolicyDeny)
+}
+
 // AllowAgentRead checks if read operations are allowed for an agent
 func (a *ACL) AllowAgentRead() bool {
 	switch {
@@ -223,6 +249,32 @@ func (a *ACL) AllowOperatorWrite() bool {
 	}
 }
 
+// AllowQuotaRead checks if read operations are allowed for all quotas
+func (a *ACL) AllowQuotaRead() bool {
+	switch {
+	case a.management:
+		return true
+	case a.quota == PolicyWrite:
+		return true
+	case a.quota == PolicyRead:
+		return true
+	default:
+		return false
+	}
+}
+
+// AllowQuotaWrite checks if write operations are allowed for quotas
+func (a *ACL) AllowQuotaWrite() bool {
+	switch {
+	case a.management:
+		return true
+	case a.quota == PolicyWrite:
+		return true
+	default:
+		return false
+	}
+}
+
 // IsManagement checks if this represents a management token
 func (a *ACL) IsManagement() bool {
 	return a.management

acl/acl_test.go

@@ -60,95 +60,111 @@ func TestMaxPrivilege(t *testing.T) {
 }
 
 func TestACLManagement(t *testing.T) {
+	assert := assert.New(t)
+
 	// Create management ACL
 	acl, err := NewACL(true, nil)
-	assert.Nil(t, err)
+	assert.Nil(err)
 
 	// Check default namespace rights
-	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
-	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+	assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+	assert.True(acl.AllowNamespace("default"))
 
 	// Check non-specified namespace
-	assert.Equal(t, true, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+	assert.True(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+	assert.True(acl.AllowNamespace("foo"))
 
 	// Check the other simpler operations
-	assert.Equal(t, true, acl.IsManagement())
-	assert.Equal(t, true, acl.AllowAgentRead())
-	assert.Equal(t, true, acl.AllowAgentWrite())
-	assert.Equal(t, true, acl.AllowNodeRead())
-	assert.Equal(t, true, acl.AllowNodeWrite())
-	assert.Equal(t, true, acl.AllowOperatorRead())
-	assert.Equal(t, true, acl.AllowOperatorWrite())
+	assert.True(acl.IsManagement())
+	assert.True(acl.AllowAgentRead())
+	assert.True(acl.AllowAgentWrite())
+	assert.True(acl.AllowNodeRead())
+	assert.True(acl.AllowNodeWrite())
+	assert.True(acl.AllowOperatorRead())
+	assert.True(acl.AllowOperatorWrite())
+	assert.True(acl.AllowQuotaRead())
+	assert.True(acl.AllowQuotaWrite())
 }
 
 func TestACLMerge(t *testing.T) {
+	assert := assert.New(t)
+
 	// Merge read + write policy
 	p1, err := Parse(readAll)
-	assert.Nil(t, err)
+	assert.Nil(err)
 	p2, err := Parse(writeAll)
-	assert.Nil(t, err)
+	assert.Nil(err)
 	acl, err := NewACL(false, []*Policy{p1, p2})
-	assert.Nil(t, err)
+	assert.Nil(err)
 
 	// Check default namespace rights
-	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
-	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+	assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+	assert.True(acl.AllowNamespace("default"))
 
 	// Check non-specified namespace
-	assert.Equal(t, false, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+	assert.False(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+	assert.False(acl.AllowNamespace("foo"))
 
 	// Check the other simpler operations
-	assert.Equal(t, false, acl.IsManagement())
-	assert.Equal(t, true, acl.AllowAgentRead())
-	assert.Equal(t, true, acl.AllowAgentWrite())
-	assert.Equal(t, true, acl.AllowNodeRead())
-	assert.Equal(t, true, acl.AllowNodeWrite())
-	assert.Equal(t, true, acl.AllowOperatorRead())
-	assert.Equal(t, true, acl.AllowOperatorWrite())
+	assert.False(acl.IsManagement())
+	assert.True(acl.AllowAgentRead())
+	assert.True(acl.AllowAgentWrite())
+	assert.True(acl.AllowNodeRead())
+	assert.True(acl.AllowNodeWrite())
+	assert.True(acl.AllowOperatorRead())
+	assert.True(acl.AllowOperatorWrite())
+	assert.True(acl.AllowQuotaRead())
+	assert.True(acl.AllowQuotaWrite())
 
 	// Merge read + blank
 	p3, err := Parse("")
-	assert.Nil(t, err)
+	assert.Nil(err)
 	acl, err = NewACL(false, []*Policy{p1, p3})
-	assert.Nil(t, err)
+	assert.Nil(err)
 
 	// Check default namespace rights
-	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
-	assert.Equal(t, false, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+	assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.False(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
 
 	// Check non-specified namespace
-	assert.Equal(t, false, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+	assert.False(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
 
 	// Check the other simpler operations
-	assert.Equal(t, false, acl.IsManagement())
-	assert.Equal(t, true, acl.AllowAgentRead())
-	assert.Equal(t, false, acl.AllowAgentWrite())
-	assert.Equal(t, true, acl.AllowNodeRead())
-	assert.Equal(t, false, acl.AllowNodeWrite())
-	assert.Equal(t, true, acl.AllowOperatorRead())
-	assert.Equal(t, false, acl.AllowOperatorWrite())
+	assert.False(acl.IsManagement())
+	assert.True(acl.AllowAgentRead())
+	assert.False(acl.AllowAgentWrite())
+	assert.True(acl.AllowNodeRead())
+	assert.False(acl.AllowNodeWrite())
+	assert.True(acl.AllowOperatorRead())
+	assert.False(acl.AllowOperatorWrite())
+	assert.True(acl.AllowQuotaRead())
+	assert.False(acl.AllowQuotaWrite())
 
 	// Merge read + deny
 	p4, err := Parse(denyAll)
-	assert.Nil(t, err)
+	assert.Nil(err)
 	acl, err = NewACL(false, []*Policy{p1, p4})
-	assert.Nil(t, err)
+	assert.Nil(err)
 
 	// Check default namespace rights
-	assert.Equal(t, false, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
-	assert.Equal(t, false, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+	assert.False(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.False(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
 
 	// Check non-specified namespace
-	assert.Equal(t, false, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+	assert.False(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
 
 	// Check the other simpler operations
-	assert.Equal(t, false, acl.IsManagement())
-	assert.Equal(t, false, acl.AllowAgentRead())
-	assert.Equal(t, false, acl.AllowAgentWrite())
-	assert.Equal(t, false, acl.AllowNodeRead())
-	assert.Equal(t, false, acl.AllowNodeWrite())
-	assert.Equal(t, false, acl.AllowOperatorRead())
-	assert.Equal(t, false, acl.AllowOperatorWrite())
+	assert.False(acl.IsManagement())
+	assert.False(acl.AllowAgentRead())
+	assert.False(acl.AllowAgentWrite())
+	assert.False(acl.AllowNodeRead())
+	assert.False(acl.AllowNodeWrite())
+	assert.False(acl.AllowOperatorRead())
+	assert.False(acl.AllowOperatorWrite())
+	assert.False(acl.AllowQuotaRead())
+	assert.False(acl.AllowQuotaWrite())
 }
 
 var readAll = `
@@ -164,6 +180,9 @@ node {
 operator {
 	policy = "read"
 }
+quota {
+	policy = "read"
+}
 `
 
 var writeAll = `
@@ -179,6 +198,9 @@ node {
 operator {
 	policy = "write"
 }
+quota {
+	policy = "write"
+}
 `
 
 var denyAll = `
@@ -194,4 +216,49 @@ node {
 operator {
 	policy = "deny"
 }
+quota {
+	policy = "deny"
+}
 `
+
+func TestAllowNamespace(t *testing.T) {
+	tests := []struct {
+		Policy string
+		Allow  bool
+	}{
+		{
+			Policy: `namespace "foo" {}`,
+			Allow:  false,
+		},
+		{
+			Policy: `namespace "foo" { policy = "deny" }`,
+			Allow:  false,
+		},
+		{
+			Policy: `namespace "foo" { capabilities = ["deny"] }`,
+			Allow:  false,
+		},
+		{
+			Policy: `namespace "foo" { capabilities = ["list-jobs"] }`,
+			Allow:  true,
+		},
+		{
+			Policy: `namespace "foo" { policy = "read" }`,
+			Allow:  true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Policy, func(t *testing.T) {
+			assert := assert.New(t)
+
+			policy, err := Parse(tc.Policy)
+			assert.Nil(err)
+
+			acl, err := NewACL(false, []*Policy{policy})
+			assert.Nil(err)
+
+			assert.Equal(tc.Allow, acl.AllowNamespace("foo"))
+		})
+	}
+}

acl/policy.go

@@ -41,6 +41,7 @@ type Policy struct {
 	Agent      *AgentPolicy       `hcl:"agent"`
 	Node       *NodePolicy        `hcl:"node"`
 	Operator   *OperatorPolicy    `hcl:"operator"`
+	Quota      *QuotaPolicy       `hcl:"quota"`
 	Raw        string             `hcl:"-"`
 }
 
@@ -63,6 +64,10 @@ type OperatorPolicy struct {
 	Policy string
 }
 
+type QuotaPolicy struct {
+	Policy string
+}
+
 // isPolicyValid makes sure the given string matches one of the valid policies.
 func isPolicyValid(policy string) bool {
 	switch policy {
@@ -162,5 +167,9 @@ func Parse(rules string) (*Policy, error) {
 	if p.Operator != nil && !isPolicyValid(p.Operator.Policy) {
 		return nil, fmt.Errorf("Invalid operator policy: %#v", p.Operator)
 	}
+
+	if p.Quota != nil && !isPolicyValid(p.Quota.Policy) {
+		return nil, fmt.Errorf("Invalid quota policy: %#v", p.Quota)
+	}
 	return p, nil
 }

acl/policy_test.go

@@ -55,6 +55,9 @@ func TestParse(t *testing.T) {
 			operator {
 				policy = "deny"
 			}
+			quota {
+				policy = "read"
+			}
 			`,
 			"",
 			&Policy{
@@ -96,6 +99,9 @@ func TestParse(t *testing.T) {
 				Operator: &OperatorPolicy{
 					Policy: PolicyDeny,
 				},
+				Quota: &QuotaPolicy{
+					Policy: PolicyRead,
+				},
 			},
 		},
 		{
@@ -143,6 +149,15 @@ func TestParse(t *testing.T) {
 			"Invalid operator policy",
 			nil,
 		},
+		{
+			`
+			quota {
+				policy = "foo"
+			}
+			`,
+			"Invalid quota policy",
+			nil,
+		},
 		{
 			`
 			namespace "has a space"{

api/allocations.go

@@ -107,6 +107,7 @@ type AllocationMetric struct {
 	NodesExhausted     int
 	ClassExhausted     map[string]int
 	DimensionExhausted map[string]int
+	QuotaExhausted     []string
 	Scores             map[string]float64
 	AllocationTime     time.Duration
 	CoalescedFailures  int

api/contexts/contexts.go

@@ -10,5 +10,6 @@ const (
 	Jobs        Context = "jobs"
 	Nodes       Context = "nodes"
 	Namespaces  Context = "namespaces"
+	Quotas      Context = "quotas"
 	All         Context = "all"
 )

api/evaluations.go

@@ -73,6 +73,7 @@ type Evaluation struct {
 	FailedTGAllocs       map[string]*AllocationMetric
 	ClassEligibility     map[string]bool
 	EscapedComputedClass bool
+	QuotaLimitReached    string
 	AnnotatePlan         bool
 	QueuedAllocations    map[string]int
 	SnapshotIndex        uint64