xuemingqiang/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b0035c299ff5a2bcf3bbdffefac418d45da5d6ae
mongo/jstests/auth/repl.js
Matt Broadstone 771dabd098 SERVER-81339 Convert ReplSetTest and ShardingTest to modules (#26332) 
GitOrigin-RevId: 744aa110a53786b23c62ff53f87a1418b5991e8d
2024-08-20 22:00:49 +00:00

213 lines
6.2 KiB
JavaScript
Raw Blame History

// Test that authorization information gets propogated correctly to secondaries.
import {ReplSetTest} from "jstests/libs/replsettest.js";
var baseName = "jstests_auth_repl";
var rsName = baseName + "_rs";
var mongoOptions = {auth: null, keyFile: "jstests/libs/key1"};
var authErrCode = 13;
var AuthReplTest = function(spec) {
var that = {};
// argument validation
assert("primaryConn" in spec);
assert("secondaryConn" in spec);
// private vars
var primaryConn, secondaryConn;
var adminPri, adminSec;
var testUser = "testUser", testRole = "testRole", testRole2 = "testRole2";
primaryConn = spec.primaryConn;
secondaryConn = spec.secondaryConn;
adminPri = primaryConn.getDB("admin");
adminPri.createUser({user: "super", pwd: "super", roles: ["__system"]});
assert(adminPri.auth("super", "super"), "could not authenticate as superuser");
if (secondaryConn != null) {
secondaryConn.setSecondaryOk();
adminSec = secondaryConn.getDB("admin");
}
/* --- private functions --- */
var authOnSecondary = function() {
assert(adminSec.auth(testUser, testUser), "could not authenticate as test user");
};
/**
* Use the rolesInfo command to check that the test
* role is as expected on the secondary
*/
var confirmRolesInfo = function(actionType) {
var role = adminSec.getRole(testRole, {showPrivileges: true});
assert.eq(1, role.privileges.length);
assert.eq(role.privileges[0].actions[0], actionType);
};
/**
* Use the usersInfo command to check that the test
* user is as expected on the secondary
*/
var confirmUsersInfo = function(roleName) {
var user = adminSec.getUser(testUser);
assert.eq(1, user.roles.length);
assert.eq(user.roles[0].role, roleName);
};
/**
* Ensure that the test user has the proper privileges
* on the secondary
*/
var confirmPrivilegeBeforeUpdate = function() {
// can run hostInfo
var res = adminSec.runCommand({hostInfo: 1});
assert.commandWorked(res);
// but cannot run listDatabases
res = adminSec.runCommand({listDatabases: 1});
assert.commandFailedWithCode(res, authErrCode);
};
var updateRole = function() {
var res = adminPri.runCommand({
updateRole: testRole,
privileges: [{resource: {cluster: true}, actions: ["listDatabases"]}],
writeConcern: {w: 2, wtimeout: 15000}
});
assert.commandWorked(res);
};
var updateUser = function() {
var res = adminPri.runCommand(
{updateUser: testUser, roles: [testRole2], writeConcern: {w: 2, wtimeout: 15000}});
assert.commandWorked(res);
};
/**
* Ensure that the auth changes have taken effect
* properly on the secondary
*/
var confirmPrivilegeAfterUpdate = function() {
// cannot run hostInfo
var res = adminSec.runCommand({hostInfo: 1});
assert.commandFailedWithCode(res, authErrCode);
// but can run listDatabases
res = adminSec.runCommand({listDatabases: 1});
assert.commandWorked(res);
};
/**
* Remove test users and roles
*/
var cleanup = function() {
var res = adminPri.runCommand({dropUser: testUser, writeConcern: {w: 2, wtimeout: 15000}});
assert.commandWorked(res);
res = adminPri.runCommand(
{dropAllRolesFromDatabase: 1, writeConcern: {w: 2, wtimeout: 15000}});
assert.commandWorked(res);
};
/* --- public functions --- */
/**
* Set the secondary for the test
*/
that.setSecondary = function(secondary) {
secondaryConn = secondary;
secondaryConn.setSecondaryOk();
adminSec = secondaryConn.getDB("admin");
};
/**
* Create user and roles in preparation
* for the test.
*/
that.createUserAndRoles = function(numNodes) {
var roles = [testRole, testRole2];
var actions = ["hostInfo", "listDatabases"];
for (var i = 0; i < roles.length; i++) {
var res = adminPri.runCommand({
createRole: roles[i],
privileges: [{resource: {cluster: true}, actions: [actions[i]]}],
roles: [],
writeConcern: {w: numNodes, wtimeout: 15000}
});
assert.commandWorked(res);
}
res = adminPri.runCommand({
createUser: testUser,
pwd: testUser,
roles: [testRole],
writeConcern: {w: numNodes, wtimeout: 15000}
});
assert.commandWorked(res);
};
/**
* Top-level test for updating users and roles and ensuring that the update
* has the correct effect on the secondary
*/
that.testAll = function() {
authOnSecondary();
confirmPrivilegeBeforeUpdate();
confirmUsersInfo(testRole);
confirmRolesInfo("hostInfo");
updateRole();
confirmPrivilegeAfterUpdate();
confirmRolesInfo("listDatabases");
updateUser();
confirmPrivilegeAfterUpdate();
confirmUsersInfo(testRole2);
cleanup();
};
return that;
};
jsTest.log("1 test replica sets");
let rs = new ReplSetTest({name: rsName, nodes: 2});
var nodes = rs.startSet(mongoOptions);
rs.initiate();
authutil.asCluster(nodes, "jstests/libs/key1", function() {
rs.awaitReplication();
});
var primary = rs.getPrimary();
var secondary = rs.getSecondary();
var authReplTest = AuthReplTest({primaryConn: primary, secondaryConn: secondary});
authReplTest.createUserAndRoles(2);
authReplTest.testAll();
rs.stopSet();
jsTest.log("2 test initial sync");
rs = new ReplSetTest({name: rsName, nodes: 1, nodeOptions: mongoOptions});
nodes = rs.startSet();
rs.initiate();
authutil.asCluster(nodes, "jstests/libs/key1", function() {
rs.awaitReplication();
});
primary = rs.getPrimary();
authReplTest = AuthReplTest({primaryConn: primary, secondaryConn: null});
authReplTest.createUserAndRoles(1);
// Add a secondary and wait for initial sync
rs.add(mongoOptions);
rs.reInitiate();
rs.awaitSecondaryNodes();
secondary = rs.getSecondary();
authReplTest.setSecondary(secondary);
authReplTest.testAll();
rs.stopSet();
Reference in New Issue View Git Blame Copy Permalink