2010-12-27 16:05:40 -05:00
|
|
|
// check replica set authentication
|
2015-11-19 14:01:59 -05:00
|
|
|
//
|
|
|
|
|
// This test requires users to persist across a restart.
|
|
|
|
|
// @tags: [requires_persistence]
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
load("jstests/replsets/rslib.js");
|
|
|
|
|
|
|
|
|
|
var name = "rs_auth1";
|
2011-08-23 12:08:37 -04:00
|
|
|
var port = allocatePorts(5);
|
2011-06-17 10:54:27 -04:00
|
|
|
var path = "jstests/libs/";
|
2010-12-27 16:05:40 -05:00
|
|
|
|
2015-11-19 11:06:58 -05:00
|
|
|
// These keyFiles have their permissions set to 600 later in the test.
|
|
|
|
|
var key1_600 = path+"key1";
|
|
|
|
|
var key2_600 = path+"key2";
|
|
|
|
|
|
|
|
|
|
// This keyFile has its permissions set to 644 later in the test.
|
|
|
|
|
var key1_644 = path+"key1_644";
|
2011-06-09 13:24:46 -04:00
|
|
|
|
2011-08-23 12:08:37 -04:00
|
|
|
print("try starting mongod with auth");
|
2013-09-25 21:59:42 -04:00
|
|
|
var m = MongoRunner.runMongod({auth : "", port : port[4], dbpath : MongoRunner.dataDir + "/wrong-auth"});
|
2011-08-23 12:08:37 -04:00
|
|
|
|
2011-11-10 23:16:13 -05:00
|
|
|
assert.eq(m.getDB("local").auth("__system", ""), 0);
|
2011-08-23 12:08:37 -04:00
|
|
|
|
2015-03-22 12:08:21 -04:00
|
|
|
MongoRunner.stopMongod(m);
|
2011-08-23 12:08:37 -04:00
|
|
|
|
|
|
|
|
|
2010-12-27 16:05:40 -05:00
|
|
|
print("reset permissions");
|
2015-11-19 11:06:58 -05:00
|
|
|
run("chmod", "644", key1_644);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
print("try starting mongod");
|
2015-11-19 11:06:58 -05:00
|
|
|
m = runMongoProgram( "mongod", "--keyFile", key1_644, "--port", port[0], "--dbpath", MongoRunner.dataPath + name);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
print("should fail with wrong permissions");
|
2012-10-10 20:48:03 -04:00
|
|
|
assert.eq(m, _isWindows()? 100 : 1, "mongod should exit w/ 1 (EXIT_FAILURE): permissions too open");
|
2015-03-22 12:08:21 -04:00
|
|
|
MongoRunner.stopMongod(port[0]);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("add a user to server0: foo");
|
2015-03-22 12:08:21 -04:00
|
|
|
m = MongoRunner.runMongod({dbpath: MongoRunner.dataPath + name + "-0"});
|
2013-11-06 14:49:35 -05:00
|
|
|
m.getDB("admin").createUser({user: "foo", pwd: "bar", roles: jsTest.adminUserRoles});
|
|
|
|
|
m.getDB("test").createUser({user: "bar", pwd: "baz", roles: jsTest.basicUserRoles});
|
2010-12-27 20:30:49 -05:00
|
|
|
print("make sure user is written before shutting down");
|
2015-03-22 12:08:21 -04:00
|
|
|
MongoRunner.stopMongod(m);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("start up rs");
|
|
|
|
|
var rs = new ReplSetTest({"name" : name, "nodes" : 3, "startPort" : port[0]});
|
2012-12-21 13:59:38 -05:00
|
|
|
print("restart 0 with keyFile");
|
2015-11-19 11:06:58 -05:00
|
|
|
m = rs.restart(0, {"keyFile" : key1_600});
|
2012-12-21 13:59:38 -05:00
|
|
|
print("restart 1 with keyFile");
|
2015-11-19 11:06:58 -05:00
|
|
|
rs.start(1, {"keyFile" : key1_600});
|
2012-12-21 13:59:38 -05:00
|
|
|
print("restart 2 with keyFile");
|
2015-11-19 11:06:58 -05:00
|
|
|
rs.start(2, {"keyFile" : key1_600});
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
var result = m.getDB("admin").auth("foo", "bar");
|
|
|
|
|
assert.eq(result, 1, "login failed");
|
2012-12-21 13:59:38 -05:00
|
|
|
print("Initializing replSet with config: " + tojson(rs.getReplSetConfig()));
|
2010-12-27 16:05:40 -05:00
|
|
|
result = m.getDB("admin").runCommand({replSetInitiate : rs.getReplSetConfig()});
|
|
|
|
|
assert.eq(result.ok, 1, "couldn't initiate: "+tojson(result));
|
2015-04-29 13:10:55 -04:00
|
|
|
m.getDB('admin').logout(); // In case this node doesn't become primary, make sure its not auth'd
|
2010-12-27 16:05:40 -05:00
|
|
|
|
2015-11-25 11:20:43 -05:00
|
|
|
var master = rs.getPrimary();
|
2014-12-04 16:14:04 -05:00
|
|
|
rs.awaitSecondaryNodes();
|
|
|
|
|
var mId = rs.getNodeId(master);
|
|
|
|
|
var slave = rs.liveNodes.slaves[0];
|
2015-01-16 14:04:58 -05:00
|
|
|
assert.eq(1, master.getDB("admin").auth("foo", "bar"));
|
|
|
|
|
assert.writeOK(master.getDB("test").foo.insert({ x: 1 }, { writeConcern: { w:3, wtimeout:60000 }}));
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("try some legal and illegal reads");
|
2014-11-11 10:47:40 -05:00
|
|
|
var r = master.getDB("test").foo.findOne();
|
2010-12-27 16:05:40 -05:00
|
|
|
assert.eq(r.x, 1);
|
|
|
|
|
|
2014-11-11 10:47:40 -05:00
|
|
|
slave.setSlaveOk();
|
2010-12-27 16:05:40 -05:00
|
|
|
|
2010-12-27 17:04:32 -05:00
|
|
|
function doQueryOn(p) {
|
2015-01-29 11:53:45 -05:00
|
|
|
var error = assert.throws( function() {
|
2014-11-11 10:47:40 -05:00
|
|
|
r = p.getDB("test").foo.findOne();
|
2015-01-29 11:53:45 -05:00
|
|
|
}, [], "find did not throw, returned: " + tojson(r)).toString();
|
|
|
|
|
printjson(error);
|
2015-07-28 16:54:58 -04:00
|
|
|
assert.gt(error.indexOf("not authorized"), -1, "error was non-auth");
|
2010-12-27 17:04:32 -05:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
doQueryOn(slave);
|
2010-12-27 16:05:40 -05:00
|
|
|
master.adminCommand({logout:1});
|
2011-07-29 11:49:14 -04:00
|
|
|
|
|
|
|
|
print("unauthorized:");
|
|
|
|
|
printjson(master.adminCommand({replSetGetStatus : 1}));
|
|
|
|
|
|
2010-12-27 17:04:32 -05:00
|
|
|
doQueryOn(master);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
|
2014-11-11 10:47:40 -05:00
|
|
|
result = slave.getDB("test").auth("bar", "baz");
|
2010-12-27 16:05:40 -05:00
|
|
|
assert.eq(result, 1);
|
|
|
|
|
|
2014-11-11 10:47:40 -05:00
|
|
|
r = slave.getDB("test").foo.findOne();
|
2010-12-27 16:05:40 -05:00
|
|
|
assert.eq(r.x, 1);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
print("add some data");
|
2014-11-11 10:47:40 -05:00
|
|
|
master.getDB("test").auth("bar", "baz");
|
|
|
|
|
var bulk = master.getDB("test").foo.initializeUnorderedBulkOp();
|
2010-12-27 16:05:40 -05:00
|
|
|
for (var i=0; i<1000; i++) {
|
2014-03-03 11:27:18 -05:00
|
|
|
bulk.insert({ x: i, foo: "bar" });
|
2010-12-27 16:05:40 -05:00
|
|
|
}
|
2014-03-03 11:27:18 -05:00
|
|
|
assert.writeOK(bulk.execute({ w: 3, wtimeout: 60000 }));
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("fail over");
|
2014-12-04 16:14:04 -05:00
|
|
|
rs.stop(mId);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
2015-11-25 11:20:43 -05:00
|
|
|
master = rs.getPrimary();
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("add some more data 1");
|
2014-11-11 10:47:40 -05:00
|
|
|
master.getDB("test").auth("bar", "baz");
|
|
|
|
|
bulk = master.getDB("test").foo.initializeUnorderedBulkOp();
|
2010-12-27 16:05:40 -05:00
|
|
|
for (var i=0; i<1000; i++) {
|
2014-05-14 14:11:11 -04:00
|
|
|
bulk.insert({ x: i, foo: "bar" });
|
2010-12-27 16:05:40 -05:00
|
|
|
}
|
2014-05-14 14:11:11 -04:00
|
|
|
assert.writeOK(bulk.execute({ w: 2 }));
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("resync");
|
2015-11-19 11:06:58 -05:00
|
|
|
rs.restart(mId, {"keyFile" : key1_600});
|
2015-11-25 11:20:43 -05:00
|
|
|
master = rs.getPrimary();
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("add some more data 2");
|
2014-11-11 10:47:40 -05:00
|
|
|
bulk = master.getDB("test").foo.initializeUnorderedBulkOp();
|
2010-12-27 16:05:40 -05:00
|
|
|
for (var i=0; i<1000; i++) {
|
2014-03-03 11:27:18 -05:00
|
|
|
bulk.insert({ x: i, foo: "bar" });
|
2010-12-27 16:05:40 -05:00
|
|
|
}
|
2014-03-03 11:27:18 -05:00
|
|
|
bulk.execute({ w:3, wtimeout:60000 });
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
print("add member with wrong key");
|
2015-03-22 12:08:21 -04:00
|
|
|
var conn = MongoRunner.runMongod({dbpath: MongoRunner.dataPath + name + "-3",
|
|
|
|
|
port: port[3],
|
|
|
|
|
replSet: "rs_auth1",
|
|
|
|
|
oplogSize: 2,
|
2015-11-19 11:06:58 -05:00
|
|
|
keyFile: key2_600});
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
|
2014-11-11 10:47:40 -05:00
|
|
|
master.getDB("admin").auth("foo", "bar");
|
|
|
|
|
var config = master.getDB("local").system.replset.findOne();
|
2012-06-21 14:08:54 -04:00
|
|
|
config.members.push({_id : 3, host : rs.host+":"+port[3]});
|
2010-12-27 16:05:40 -05:00
|
|
|
config.version++;
|
|
|
|
|
try {
|
|
|
|
|
master.adminCommand({replSetReconfig:config});
|
|
|
|
|
}
|
|
|
|
|
catch (e) {
|
|
|
|
|
print("error: "+e);
|
|
|
|
|
}
|
2015-11-25 11:20:43 -05:00
|
|
|
master = rs.getPrimary();
|
2014-11-11 10:47:40 -05:00
|
|
|
master.getDB("admin").auth("foo", "bar");
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
print("shouldn't ever sync");
|
2011-04-06 17:58:47 -04:00
|
|
|
for (var i = 0; i<10; i++) {
|
2010-12-27 16:05:40 -05:00
|
|
|
print("iteration: " +i);
|
|
|
|
|
var results = master.adminCommand({replSetGetStatus:1});
|
|
|
|
|
printjson(results);
|
|
|
|
|
assert(results.members[3].state != 2);
|
|
|
|
|
sleep(1000);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
print("stop member");
|
2015-03-22 12:08:21 -04:00
|
|
|
MongoRunner.stopMongod(conn);
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
print("start back up with correct key");
|
2015-03-22 12:08:21 -04:00
|
|
|
var conn = MongoRunner.runMongod({dbpath: MongoRunner.dataPath + name + "-3",
|
|
|
|
|
port: port[3],
|
|
|
|
|
replSet: "rs_auth1",
|
|
|
|
|
oplogSize: 2,
|
2015-11-19 11:06:58 -05:00
|
|
|
keyFile: key1_600});
|
2010-12-27 16:05:40 -05:00
|
|
|
|
|
|
|
|
wait(function() {
|
2011-06-09 13:24:46 -04:00
|
|
|
try {
|
2010-12-27 16:05:40 -05:00
|
|
|
var results = master.adminCommand({replSetGetStatus:1});
|
|
|
|
|
printjson(results);
|
|
|
|
|
return results.members[3].state == 2;
|
2011-06-09 13:24:46 -04:00
|
|
|
}
|
|
|
|
|
catch (e) {
|
|
|
|
|
print(e);
|
|
|
|
|
}
|
|
|
|
|
return false;
|
2010-12-27 16:05:40 -05:00
|
|
|
});
|
|
|
|
|
|
2011-04-08 10:31:05 -04:00
|
|
|
print("make sure it has the config, too");
|
|
|
|
|
assert.soon(function() {
|
|
|
|
|
for (var i in rs.nodes) {
|
|
|
|
|
rs.nodes[i].setSlaveOk();
|
|
|
|
|
rs.nodes[i].getDB("admin").auth("foo","bar");
|
|
|
|
|
config = rs.nodes[i].getDB("local").system.replset.findOne();
|
|
|
|
|
if (config.version != 2) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
});
|
