diff options
author | Spencer T Brody <spencer@10gen.com> | 2013-09-04 15:00:54 -0400 |
---|---|---|
committer | Spencer T Brody <spencer@10gen.com> | 2013-09-06 12:31:22 -0400 |
commit | ec23a4a3587f83c603b36b7761881c9edb8c503b (patch) | |
tree | 3e25e86f2743ddc909c14f31c93e70dd5071b311 | |
parent | 1a2d5ede29501a063f66da108fbb3d9a57eb1289 (diff) | |
download | mongo-ec23a4a3587f83c603b36b7761881c9edb8c503b.tar.gz |
SERVER-9517 Update tests to pass with new user schema
60 files changed, 357 insertions, 495 deletions
diff --git a/buildscripts/smoke.py b/buildscripts/smoke.py index 5eebded39d0..d2a69063dc4 100755 --- a/buildscripts/smoke.py +++ b/buildscripts/smoke.py @@ -167,9 +167,12 @@ class mongod(object): def setup_admin_user(self, port=mongod_port): try: - Connection( "localhost" , int(port) ).admin.command("createUser", - user="admin", - pwd="password") + Connection( "localhost" , int(port) ).admin.command("createUser", "admin", + pwd="password", + roles=["readWriteAnyDatabase", + "dbAdminAnyDatabase", + "userAdminAnyDatabase", + "clusterAdmin"]) except OperationFailure, e: if e.message == 'need to login': pass # SERVER-4225 diff --git a/jstests/auth/adduser_helper.js b/jstests/auth/adduser_helper.js index 80897bdf7e3..b6a9329b7cb 100644 --- a/jstests/auth/adduser_helper.js +++ b/jstests/auth/adduser_helper.js @@ -7,46 +7,44 @@ var passwordHash = function(username, password) { var conn = MongoRunner.runMongod({smallfiles: ""}); var db = conn.getDB('addUser'); +var admin = conn.getDB('admin'); db.dropDatabase(); +admin.dropDatabase(); -jsTest.log("Testing creating backwards-compatible user objects using old form of db.addUser"); -db.addUser('spencer', 'password'); -assert.eq(1, db.system.users.count()); -var userObj = db.system.users.findOne(); -assert.eq('spencer', userObj['user']); -assert.eq(passwordHash('spencer', 'password'), userObj['pwd']); +// Can't use old-form of addUser helper to make v0 users +assert.throws(function() {db.addUser('spencer', 'password'); }); +// Can't create old-style entries with new addUser helper. +assert.throws(function() {db.addUser({user:'noroles', pwd:'password'});}); -// Test re-adding the same user fails -assert.throws(function() { db.addUser("spencer", "password2"); }); +// Create valid V2 format user +db.addUser({name:'andy', pwd:'password', roles:['read']}); +assert.eq(1, admin.system.users.count()); +userObj = admin.system.users.findOne({name:'andy'}); +assert.eq('andy', userObj['name']); +assert.eq(passwordHash('andy', 'password'), userObj['credentials']['MONGODB-CR']); // test changing password -db.changeUserPassword('spencer', 'newpassword'); -assert.eq(1, db.system.users.count()); -userObj = db.system.users.findOne(); -assert.eq('spencer', userObj['user']); -assert.eq(passwordHash('spencer', 'newpassword'), userObj['pwd']); - - -jsTest.log("Testing new form of addUser"); +db.changeUserPassword('andy', 'newpassword'); +assert.eq(1, admin.system.users.count()); +userObj = admin.system.users.findOne(); +assert.eq('andy', userObj['name']); +assert.eq(passwordHash('andy', 'newpassword'), userObj['credentials']['MONGODB-CR']); -// Can't create old-style entries with new addUser helper. -assert.throws(function() {db.addUser({user:'noroles', pwd:'password'});}); // Should fail because user already exists -assert.throws(function() {db.addUser({user:'spencer', pwd:'password', roles:'read'});}); - -// Create valid extended form user -db.addUser({user:'andy', pwd:'password', roles:['read']}); -assert.eq(2, db.system.users.count()); -userObj = db.system.users.findOne({user:'andy'}); -assert.eq('andy', userObj['user']); -assert.eq(passwordHash('andy', 'password'), userObj['pwd']); -assert.eq('read', userObj['roles'][0]); +assert.throws(function() {db.addUser({user:'andy', pwd:'password', roles:['read']});}); // Create valid extended form external user -db.addUser({user:'andy', userSource:'$sasl', roles:['readWrite']}); -assert.eq(3, db.system.users.count()); -userObj = db.system.users.findOne({user:'andy', userSource:'$sasl'}); -assert.eq('andy', userObj['user']); -assert.eq('$sasl', userObj['userSource']); -assert.eq('readWrite', userObj['roles'][0]); -assert(!userObj['pwd']);
\ No newline at end of file +db.getSiblingDB("$external").addUser({user:'spencer', roles:['readWrite']}); +assert.eq(2, admin.system.users.count()); +userObj = admin.system.users.findOne({name:'spencer', source:'$external'}); +assert.eq('spencer', userObj['name']); +assert.eq('$external', userObj['source']); +assert(!userObj['credentials']); + + +// Create valid V2 format user using new helper format +db.addUser('bob', 'password', ['read']); +assert.eq(3, admin.system.users.count()); +userObj = admin.system.users.findOne({name:'bob'}); +assert.eq('bob', userObj['name']); +assert.eq(passwordHash('bob', 'password'), userObj['credentials']['MONGODB-CR']); diff --git a/jstests/auth/auth1.js b/jstests/auth/auth1.js index b5ff80d7bbe..0d1610a83d5 100644 --- a/jstests/auth/auth1.js +++ b/jstests/auth/auth1.js @@ -18,9 +18,11 @@ tRO = dbRO[ baseName ]; db.removeAllUsers(); -db.addUser( "eliot" , "eliot" ); -db.addUser( "guest" , "guest", true ); -db.getSisterDB( "admin" ).addUser( "super", "super" ); +db.getSisterDB( "admin" ).addUser( "super", "super", jsTest.adminUserRoles ); +db.getSisterDB("admin").auth("super", "super"); +db.addUser( "eliot" , "eliot", jsTest.basicUserRoles ); +db.addUser( "guest" , "guest", jsTest.readOnlyUserRoles ); +db.getSisterDB("admin").logout(); assert.throws( function() { t.findOne() }, [], "read without login" ); @@ -67,14 +69,6 @@ tRO.save( {} ); // fail assert( dbRO.getLastError() , "B5: " + tojson( dbRO.getLastErrorObj() ) ); assert.eq( 1000, tRO.count() , "B6" ); -// SERVER-4692 read-only users can't read system.users collection -assert.throws(function(){dbRO.system.users.findOne()}); -assert.throws(function(){dbRO.system.users.count()}); - -assert.eq( 2, db.system.users.count() , "B7" ); // rw connection -assert.throws(function(){dbRO.addUser( "a", "b" )}); -assert.eq( 2, db.system.users.count() , "B8"); // rw connection - assert.eq( 1000, tRO.group( p ).length , "C1" ); var p = { key : { i : true } , diff --git a/jstests/auth/auth2.js b/jstests/auth/auth2.js index 4f30894253f..0c938f26872 100644 --- a/jstests/auth/auth2.js +++ b/jstests/auth/auth2.js @@ -12,7 +12,7 @@ t.drop(); users = db.getCollection( "system.users" ); assert.eq( 0 , users.count() ); -db.addUser( "eliot" , "eliot" ); +db.addUser( "eliot" , "eliot", jsTest.adminUserRoles ); assert.throws( function(){ db.users.count(); } ) diff --git a/jstests/auth/auth3.js b/jstests/auth/auth3.js index 93528f4173a..36bd9e342f9 100644 --- a/jstests/auth/auth3.js +++ b/jstests/auth/auth3.js @@ -2,7 +2,7 @@ var conn = MongoRunner.runMongod({auth : "", port : 31001}); var admin = conn.getDB("admin"); -admin.addUser("foo","bar"); +admin.addUser("foo","bar", jsTest.adminUserRoles); print("make sure curop, killop, and unlock fail"); diff --git a/jstests/auth/auth_helpers.js b/jstests/auth/auth_helpers.js index c0002e39a5e..371f09e4732 100644 --- a/jstests/auth/auth_helpers.js +++ b/jstests/auth/auth_helpers.js @@ -27,7 +27,7 @@ var admin = conn.getDB('admin'); var testedSomething = false; -admin.addUser('andy', 'a'); +admin.addUser('andy', 'a', jsTest.adminUserRoles); // If the server supports them MONGODB-CR, try all the ways to call db.auth that use MONGODB-CR. if (hasMongoCR) { diff --git a/jstests/auth/basic_role_auth.js b/jstests/auth/basic_role_auth.js index 59f4e0a3d93..ddb1229ec16 100644 --- a/jstests/auth/basic_role_auth.js +++ b/jstests/auth/basic_role_auth.js @@ -191,7 +191,7 @@ var testOps = function(db, allowedActions) { }); checkErr(allowedActions.hasOwnProperty('user_w'), function() { - db.addUser('a', 'a'); + db.addUser('a', 'a', jsTest.basicUserRoles); db.removeUser('a'); }, db); diff --git a/jstests/auth/db_multiple_login.js b/jstests/auth/db_multiple_login.js index dd4b0115cd5..bcb284d6848 100644 --- a/jstests/auth/db_multiple_login.js +++ b/jstests/auth/db_multiple_login.js @@ -33,7 +33,7 @@ var conn = MongoRunner.runMongod({ auth: "", smallfiles: "" }); var admin = conn.getDB("admin"); var test = conn.getDB("test"); -admin.addUser('admin', 'a'); +admin.addUser('admin', 'a', jsTest.adminUserRoles); assert(admin.auth('admin', 'a')); test.addUser({user: 'reader', pwd: 'a', roles: [ "read" ]}); test.addUser({user: 'writer', pwd: 'a', roles: [ "readWrite" ]}); diff --git a/jstests/auth/disable_compatibility_privileges.js b/jstests/auth/disable_compatibility_privileges.js deleted file mode 100644 index 0db9421cc37..00000000000 --- a/jstests/auth/disable_compatibility_privileges.js +++ /dev/null @@ -1,24 +0,0 @@ -// Test disabling old-style privilege documents at server startup. - -function assertGLEOK(status) { - assert(status.ok && status.err === null, - "Expected OK status object; found " + tojson(status)); -} - -function assertGLENotOK(status) { - assert(status.ok && status.err !== null, - "Expected not-OK status object; found " + tojson(status)); -} - -var conn = MongoRunner.runMongod({ auth: "", - smallfiles: "", - setParameter: "supportCompatibilityFormPrivilegeDocuments=false" - }); -var test = conn.getDB("test"); - -// Valid compatibility document shoudl fail. -test.system.users.insert({ user: "spencer", pwd: hex_md5("spencer:mongo:a"), readOnly: true }); -assertGLENotOK(test.getLastErrorObj()); - -test.system.users.insert({ user: "spencer", userSource: "test2", roles: ["dbAdmin"] }); -assertGLEOK(test.getLastErrorObj()); diff --git a/jstests/auth/implicit_privileges.js b/jstests/auth/implicit_privileges.js deleted file mode 100644 index a02f4b1954b..00000000000 --- a/jstests/auth/implicit_privileges.js +++ /dev/null @@ -1,92 +0,0 @@ -// Test implicit privilege acquisition. -// -// TODO: Rewrite user document creation portion of test when addUser shell helper is updated. - -// Raises an exception if "status" is not a GetLastError object indicating success. -function assertGLEOK(status) { - assert(status.ok && status.err === null, - "Expected OK status object; found " + tojson(status)); -} - -// Raises an exception if "status" is not a GetLastError object indicating failure. -function assertGLENotOK(status) { - assert(status.ok && status.err !== null, - "Expected not-OK status object; found " + tojson(status)); -} - -// Asserts that inserting "obj" into "collection" succeeds. -function assertInsertSucceeds(collection, obj) { - collection.insert(obj); - assertGLEOK(collection.getDB().getLastErrorObj()); -} - -// Asserts that inserting "obj" into "collection" fails. -function assertInsertFails(collection, obj) { - collection.insert(obj); - assertGLENotOK(collection.getDB().getLastErrorObj()); -} - -// Runs the function "action" with database objects for every database named in "dbNames", using -// "conn" as the connection object. -function withDbs(conn, dbNames, action) { - var dbs = []; - var i; - for (i = 0; i < dbNames.length; ++i) { - dbs.push(conn.getDB(dbNames[i])); - } - action.apply(null, dbs); -} - -var conn = MongoRunner.runMongod({ auth: "", smallfiles: "" }); -var admin = conn.getDB("admin"); -var test = conn.getDB("test"); -var test2 = conn.getDB("test2"); - -assert.commandWorked(admin.runCommand( - { createUser: 1, - user: 'root', - pwd: 'a', - roles: ["clusterAdmin", - "readWriteAnyDatabase", - "dbAdminAnyDatabase", - "userAdminAnyDatabase"] - })); - -var andyAddUserCommandTestDb = { - createUser: 1, - user: "andy", - pwd: "a", - roles: [ "readWrite" ] -}; - -var andyAddUserCommandTest2Db = { - createUser: 1, - user: "andy", - userSource: "test", - roles: [ "read" ] -}; - -assertInsertFails(test.foo, {}); -assert.commandFailed(test.runCommand(andyAddUserCommandTestDb)); -assert.throws(function() { test.foo.findOne(); }); -assert.throws(function() { test2.foo.findOne(); } ); - -assert(admin.auth('root', 'a')); -assert.commandWorked(test.runCommand(andyAddUserCommandTestDb)); -assert.commandWorked(test2.runCommand(andyAddUserCommandTest2Db)); -assertInsertSucceeds(test.foo, {_id: 0}); -assertInsertSucceeds(test2.foo, {_id: 0}); - -admin.logout(); - -assert(test.auth('andy', 'a')); -assertInsertSucceeds(test.foo, {_id: 1}); -assertInsertFails(test2.foo, {_id: 1}); -assert.eq(test.foo.findOne({_id: 1})._id, 1); -assert.eq(test2.foo.findOne({_id: 0})._id, 0); -assert(test.logout()); -assertInsertFails(test.foo, {}); -assert.commandFailed(test.runCommand(andyAddUserCommandTestDb)); -assert.throws(function() { test.foo.findOne(); }); -assert.throws(function() { test2.foo.findOne(); } ); - diff --git a/jstests/auth/indexSystemUsers.js b/jstests/auth/indexSystemUsers.js index 0e26cc6ff76..6d5451a32cb 100644 --- a/jstests/auth/indexSystemUsers.js +++ b/jstests/auth/indexSystemUsers.js @@ -11,26 +11,25 @@ var adminDB = conn.getDB("admin"); var testDB = conn.getDB("test"); adminDB.addUser({user:'admin', pwd:'x', roles:['userAdminAnyDatabase']}); adminDB.auth('admin','x'); -adminDB.addUser({user:'mallory', pwd:'x', roles:[], otherDBRoles:{test:['readWrite']}}); -testDB.addUser({user:'user1', pwd:'x', roles:['read']}); -testDB.addUser({user:'user2', pwd:'x', roles:['read']}); -assert.eq(2, testDB.system.users.count()); +adminDB.addUser({user:'mallory', pwd:'x', roles:['readWriteAnyDatabase']}); +testDB.addUser({user:'user', pwd:'x', roles:['read']}); +assert.eq(3, adminDB.system.users.count()); adminDB.logout(); adminDB.auth('mallory', 'x'); -testDB.system.users.createIndex({haxx:1}, {unique:true, dropDups:true}); -assertGLENotOK(testDB.getLastErrorObj()); -testDB.exploit.system.indexes.insert({ns: "test.system.users", key: { haxx: 1.0 }, name: "haxx_1", - unique: true, dropDups: true}); +adminDB.system.users.createIndex({haxx:1}, {unique:true, dropDups:true}); +assertGLENotOK(adminDB.getLastErrorObj()); +adminDB.exploit.system.indexes.insert({ns: "admin.system.users", key: { haxx: 1.0 }, name: "haxx_1", + unique: true, dropDups: true}); assertGLENotOK(testDB.getLastErrorObj()); // Make sure that no indexes were built. assert.eq(null, - testDB.system.namespaces.findOne( - {$and : [{name : /^test\.system\.users\.\$/}, - {name : {$ne : "test.system.users.$_id_"}}, - {name : {$ne : "test.system.users.$user_1_userSource_1"}} ]})); + adminDB.system.namespaces.findOne( + {$and : [{name : /^admin\.system\.users\.\$/}, + {name : {$ne : "admin.system.users.$_id_"}}, + {name : {$ne : "admin.system.users.$name_1_source_1"}} ]})); adminDB.logout(); adminDB.auth('admin','x'); // Make sure that no users were actually dropped -assert.eq(2, testDB.system.users.count());
\ No newline at end of file +assert.eq(3, adminDB.system.users.count());
\ No newline at end of file diff --git a/jstests/auth/invalidRole.js b/jstests/auth/invalidRole.js deleted file mode 100644 index 720c8cb85d9..00000000000 --- a/jstests/auth/invalidRole.js +++ /dev/null @@ -1,20 +0,0 @@ -// Test that authenticating as a user with an invalid role doesn't prevent acquiriing privileges -// from other, valid, roles. -var conn = MongoRunner.runMongod({auth : ""}); - -var adminDB = conn.getDB("admin"); -var testDB = conn.getDB("testdb"); - -testDB.foo.insert({a:1}); - -testDB.addUser({user:'spencer', - pwd:'password', - roles:['invalidRole', 'readWrite']}); - -adminDB.addUser({user:'admin', - pwd:'password', - roles:['userAdminAnyDatabase']}); - -assert.throws(function() { testDB.foo.findOne(); }); -testDB.auth('spencer', 'password'); -assert.eq(1, testDB.foo.findOne().a); diff --git a/jstests/auth/js_scope_leak.js b/jstests/auth/js_scope_leak.js index 667863d4de5..d3c72ca5e4e 100644 --- a/jstests/auth/js_scope_leak.js +++ b/jstests/auth/js_scope_leak.js @@ -7,15 +7,15 @@ // // These transitions are tested for dbEval, $where, MapReduce and $group -var conn = MongoRunner.runMongod({ auth: "", smallfiles: ""}); +var conn = MongoRunner.runMongod({ smallfiles: ""}); var test = conn.getDB("test"); // insert a single document and add two test users test.foo.insert({a:1}); test.getLastError(); assert.eq(1, test.foo.findOne().a); -test.addUser('a', 'a'); -test.addUser('b', 'b'); +test.addUser('a', 'a', jsTest.basicUserRoles); +test.addUser('b', 'b', jsTest.basicUserRoles); function missingOrEquals(string) { return 'function() { ' diff --git a/jstests/auth/localhostAuthBypass.js b/jstests/auth/localhostAuthBypass.js index 46761e763fd..c1b62e67c66 100644 --- a/jstests/auth/localhostAuthBypass.js +++ b/jstests/auth/localhostAuthBypass.js @@ -12,7 +12,7 @@ var host = "localhost:" + port; var addUser = function(mongo) { print("============ adding a user."); - mongo.getDB("admin").addUser(username, password); + mongo.getDB("admin").addUser(username, password, jsTest.adminUserRoles); }; var assertCannotRunCommands = function(mongo) { diff --git a/jstests/auth/log_userid_off.js b/jstests/auth/log_userid_off.js index 85a1cc5f79e..77b580a24f2 100644 --- a/jstests/auth/log_userid_off.js +++ b/jstests/auth/log_userid_off.js @@ -8,7 +8,7 @@ var doTest = function (mongo, callSetParam) { var TEST_PWD = 'bar'; var testDB = mongo.getDB('test'); - testDB.addUser(TEST_USER, TEST_PWD); + testDB.addUser(TEST_USER, TEST_PWD, jsTest.basicUserRoles); testDB.auth(TEST_USER, TEST_PWD); testDB.runCommand({ dbStats: 1 }); diff --git a/jstests/auth/logout_reconnect.js b/jstests/auth/logout_reconnect.js index 5646a30a292..775c3010920 100644 --- a/jstests/auth/logout_reconnect.js +++ b/jstests/auth/logout_reconnect.js @@ -15,8 +15,10 @@ conn = MongoRunner.runMongod({ // create user with rw permissions and login var testDB = conn.getDB('test'); var adminDB = conn.getDB('admin'); -testDB.addUser({user:'rwuser', pwd:'rwuser', roles:['readWrite']}) adminDB.addUser({user:'admin', pwd:'admin', roles:['userAdminAnyDatabase']}); +adminDB.auth('admin','admin'); +testDB.addUser({user:'rwuser', pwd:'rwuser', roles:['readWrite']}) +adminDB.logout(); testDB.auth('rwuser', 'rwuser'); // verify that the rwuser can read and write diff --git a/jstests/auth/mr_auth.js b/jstests/auth/mr_auth.js index c4384c9bdad..669aa50ca9b 100644 --- a/jstests/auth/mr_auth.js +++ b/jstests/auth/mr_auth.js @@ -21,9 +21,11 @@ for( var i = 0; i < 1000; i++) t.insert( {_id:i, x:i%10, y:i%100} ); assert.eq( 1000, t.count(), "inserts failed" ); d.removeAllUsers(); -d.addUser( "write" , "write" ); -d.addUser( "read" , "read", true ); -d.getSisterDB( "admin" ).addUser( "admin", "admin" ); +d.getSisterDB( "admin" ).addUser( "admin", "admin", jsTest.adminUserRoles ); +d.getSisterDB( "admin" ).auth('admin', 'admin'); +d.addUser( "write" , "write", jsTest.basicUserRoles ); +d.addUser( "read" , "read", jsTest.readOnlyUserRoles ); +d.getSisterDB( "admin" ).logout(); t.mapReduce( map, red, {out: { inline: 1 }} ) diff --git a/jstests/auth/otherDBRoles.js b/jstests/auth/otherDBRoles.js deleted file mode 100644 index 5d3586b44bb..00000000000 --- a/jstests/auth/otherDBRoles.js +++ /dev/null @@ -1,46 +0,0 @@ -var conn = MongoRunner.runMongod({auth : ""}); - -function assertGLENotOK(status) { - assert(status.ok && status.err !== null, - "Expected not-OK status object; found " + tojson(status)); -} - -function assertGLEOK(status) { - assert(status.ok && status.err === null, - "Expected OK status object; found " + tojson(status)); -} - -var adminDB = conn.getDB("admin"); -var testDB = conn.getDB("test"); -var test2DB = conn.getDB("test2"); - -// Can't use otherDBRoles outside of admin DB -assert.throws(function() { - testDB.addUser({user:'spencer', - pwd:'x', - roles:[], - otherDBRoles: {test2: ['readWrite']}}); - }); - -testDB.addUser({user: 'spencer', pwd: 'x', roles: ['readWrite']}); - -adminDB.addUser({user:'spencer', - userSource: 'test', - roles:[], - otherDBRoles: {test: ['dbAdmin'], test2: ['readWrite']}}); - -testDB.auth('spencer', 'x'); - -testDB.foo.insert({a:1}); -assertGLEOK(testDB.getLastErrorObj()); -assert.eq(1, testDB.foo.findOne().a); - -// Make sure user got the dbAdmin role -assert.commandWorked(testDB.foo.runCommand("compact")); - -// Make sure the user got privileges on the test2 database. -test2DB.foo.insert({a:1}); -assertGLEOK(test2DB.getLastErrorObj()); -assert.eq(1, test2DB.foo.findOne().a); - -assert.commandFailed(test2DB.foo.runCommand("compact"));
\ No newline at end of file diff --git a/jstests/auth/profile.js b/jstests/auth/profile.js index bad7b215fef..b566d2eaad5 100644 --- a/jstests/auth/profile.js +++ b/jstests/auth/profile.js @@ -3,8 +3,8 @@ var conn = startMongodTest(); var db1 = conn.getDB("profile-a"); var db2 = db1.getSisterDB("profile-b"); var username = "user"; -db1.addUser(username, "password"); -db2.addUser(username, "password"); +db1.addUser(username, "password", jsTest.basicUserRoles); +db2.addUser(username, "password", jsTest.basicUserRoles); function lastOp(db) { diff --git a/jstests/auth/readIndex.js b/jstests/auth/readIndex.js index 5748c6bf1e2..39ef54b31f8 100644 --- a/jstests/auth/readIndex.js +++ b/jstests/auth/readIndex.js @@ -10,14 +10,10 @@ testDB.addUser({user:'dbAdmin', pwd:'password', roles:['dbAdmin']}); -adminDB.addUser({user:'admin', - pwd:'password', - roles:['userAdminAnyDatabase']}); // To disable localhost auth bypass - testDB.auth('dbAdmin', 'password'); testDB.foo.ensureIndex({a:1}); -assert.eq(4, testDB.system.indexes.count()); // 2 for system.users, 2 for foo +assert.eq(2, testDB.system.indexes.count()); // index on 'a' plus default _id index var indexDoc = testDB.system.indexes.findOne({key:{a:1}}); printjson(indexDoc); assert.neq(null, indexDoc); -assert.eq(4, testDB.system.indexes.stats().count);
\ No newline at end of file +assert.eq(2, testDB.system.indexes.stats().count);
\ No newline at end of file diff --git a/jstests/auth/rename.js b/jstests/auth/rename.js index 5411298cd44..bffda60383b 100644 --- a/jstests/auth/rename.js +++ b/jstests/auth/rename.js @@ -9,16 +9,18 @@ db1 = m.getDB( baseName ) db2 = m.getDB( baseName + '_other' ) admin = m.getDB( 'admin' ) -// auth not yet checked since we are on localhost -db1.addUser( "foo", "bar" ); -db2.addUser( "bar", "foo" ); +// Setup initial data +admin.addUser('admin', 'password', jsTest.adminUserRoles); +admin.auth('admin', 'password') + +db1.addUser( "foo", "bar", jsTest.basicUserRoles ); +db2.addUser( "bar", "foo", jsTest.basicUserRoles ); printjson(db1.a.count()); db1.a.save({}); assert.eq(db1.a.count(), 1); -//this makes auth required on localhost -admin.addUser('not', 'used'); +admin.logout(); // can't run same db w/o auth assert.commandFailed( admin.runCommand({renameCollection:db1.a.getFullName(), to: db1.b.getFullName()}) ); diff --git a/jstests/auth/renameSystemCollections.js b/jstests/auth/renameSystemCollections.js index 96ea309b3d3..4d3e67035b1 100644 --- a/jstests/auth/renameSystemCollections.js +++ b/jstests/auth/renameSystemCollections.js @@ -7,83 +7,64 @@ var testDB2 = conn.getDB("testdb2"); var CodeUnauthorized = 13; -testDB.addUser({user:'spencer', - pwd:'password', - roles:['readWrite']}); - adminDB.addUser({user:'userAdmin', pwd:'password', roles:['userAdminAnyDatabase']}); -var userAdminConn = new Mongo(conn.host); -userAdminConn.getDB('admin').auth('userAdmin', 'password'); -userAdminConn.getDB('admin').addUser({user:'readWriteAdmin', - pwd:'password', - roles:['readWriteAnyDatabase']}); +adminDB.auth('userAdmin', 'password'); +adminDB.addUser({user:'readWriteAdmin', + pwd:'password', + roles:['readWriteAnyDatabase']}); +adminDB.addUser({user:'readWriteAndUserAdmin', + pwd:'password', + roles:['readWriteAnyDatabase', 'userAdminAnyDatabase']}); +adminDB.logout(); -// Test that a readWrite user can't rename system.profile to something they can read. -testDB.auth('spencer', 'password'); -res = testDB.system.profile.renameCollection("profile"); +jsTestLog("Test that a readWrite user can't rename system.profile to something they can read"); +adminDB.auth('readWriteAdmin', 'password'); +res = adminDB.system.profile.renameCollection("profile"); assert.eq(0, res.ok); assert.eq(CodeUnauthorized, res.code); -// Test that a readWrite user can't rename system.users to something they can read. -var res = testDB.system.users.renameCollection("users"); +jsTestLog("Test that a readWrite user can't rename system.users to something they can read"); +var res = adminDB.system.users.renameCollection("users"); assert.eq(0, res.ok); assert.eq(CodeUnauthorized, res.code); -assert.eq(0, testDB.users.count()); +assert.eq(0, adminDB.users.count()); -// Test that a readWrite user can't use renameCollection to override system.users -testDB.users.insert({user:'backdoor', +jsTestLog("Test that a readWrite user can't use renameCollection to override system.users"); +adminDB.users.insert({user:'backdoor', pwd:'hashedpassword', roles:'userAdmin'}); -res = testDB.users.renameCollection("system.users", true); +res = adminDB.users.renameCollection("system.users", true); assert.eq(0, res.ok); assert.eq(CodeUnauthorized, res.code); -assert.eq(null, userAdminConn.getDB('testdb').system.users.findOne({user:'backdoor'})); +adminDB.users.drop(); - -// Test that a readWrite user can't create system.users using renameCollection -adminDB.auth('readWriteAdmin', 'password'); -testDB2.users.insert({user:'backdoor', - pwd:'hashedpassword', - roles:'userAdmin'}); -res = testDB2.users.renameCollection("system.users"); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); -assert.eq(0, userAdminConn.getDB('testdb2').system.users.count()); - - -// Test that you can't rename system.users across databases -testDB2.users.drop(); -var res = adminDB.runCommand({renameCollection:'testdb.system.users', to:'testdb2.users'}); -assert.eq(0, res.ok); -assert.eq(CodeUnauthorized, res.code); -assert.eq(0, testDB2.users.count()); - - -// Test that a userAdmin can't rename system.users without readWrite -testDB.users.drop(); -var res = userAdminConn.getDB('testdb').system.users.renameCollection("users"); +jsTestLog("Test that a userAdmin can't rename system.users without readWrite"); +adminDB.logout(); +adminDB.auth('userAdmin', 'password'); +var res = adminDB.system.users.renameCollection("users"); assert.eq(0, res.ok); assert.eq(CodeUnauthorized, res.code); -assert.eq(0, testDB.users.count()); +assert.eq(3, adminDB.system.users.count()); +adminDB.auth('readWriteAndUserAdmin', 'password'); +assert.eq(0, adminDB.users.count()); -// Test that with userAdmin AND dbAdmin you CAN rename to/from system.users -adminDB.auth('userAdmin', 'password'); -var res = testDB.system.users.renameCollection("users"); +jsTestLog("Test that with userAdmin AND dbAdmin you CAN rename to/from system.users"); +var res = adminDB.system.users.renameCollection("users"); assert.eq(1, res.ok); -assert.eq(1, testDB.users.count()); +assert.eq(3, adminDB.users.count()); -testDB.users.drop(); -testDB.users.insert({user:'newUser', - pwd:'hashedPassword', - roles:['readWrite']}); -var res = testDB.users.renameCollection("system.users"); +adminDB.users.drop(); +adminDB.users.insert({user:'newUser', + pwd:'hashedPassword', + roles:['readWrite']}); +var res = adminDB.users.renameCollection("system.users"); assert.eq(1, res.ok); -assert.neq(null, testDB.system.users.findOne({user:'newUser'})); -assert.eq(null, testDB.system.users.findOne({user:'spencer'})); +assert.neq(null, adminDB.system.users.findOne({user:'newUser'})); +assert.eq(null, adminDB.system.users.findOne({user:'userAdmin'})); diff --git a/jstests/auth/server-4892.js b/jstests/auth/server-4892.js index 8377ab46aa3..6bf745eedd8 100644 --- a/jstests/auth/server-4892.js +++ b/jstests/auth/server-4892.js @@ -49,13 +49,15 @@ with_mongod( ['--noauth'], function setupTest( mongod ) { conn = new Mongo( mongod.host ); admin = conn.getDB( 'admin' ); somedb = conn.getDB( 'somedb' ); - admin.addUser( 'admin', 'admin' ); - somedb.addUser( 'frim', 'fram' ); + admin.addUser( 'admin', 'admin', jsTest.adminUserRoles ); + admin.auth('admin', 'admin'); + somedb.addUser( 'frim', 'fram', jsTest.basicUserRoles ); somedb.data.drop(); for (var i = 0; i < 10; ++i) { somedb.data.insert( { val: i } ); assert ( ! somedb.getLastError() ); } + admin.logout(); } ); with_mongod( ['--auth'], function runTest( mongod ) { diff --git a/jstests/auth/show_log_auth.js b/jstests/auth/show_log_auth.js index e28703aa1f1..57ed37abc5e 100644 --- a/jstests/auth/show_log_auth.js +++ b/jstests/auth/show_log_auth.js @@ -6,7 +6,7 @@ var baseName = "jstests_show_log_auth"; var m = startMongod( "--auth", "--port", port, "--dbpath", "/data/db/" + baseName, "--nohttpinterface", "--bind_ip", "127.0.0.1" , "--nojournal" , "--smallfiles" ); var db = m.getDB( "admin" ); -db.addUser( "admin" , "pass" ); +db.addUser( "admin" , "pass", jsTest.adminUserRoles ); // Temporarily capture this shell's print() output var oldprint = print, printed = []; diff --git a/jstests/auth/system_user_privileges.js b/jstests/auth/system_user_privileges.js index 89a689969f0..61e363a2480 100644 --- a/jstests/auth/system_user_privileges.js +++ b/jstests/auth/system_user_privileges.js @@ -35,7 +35,7 @@ // // Preliminary set up. // - admin.addUser('admin', 'a'); + admin.addUser('admin', 'a', jsTest.adminUserRoles); admin.auth('admin', 'a'); // @@ -86,7 +86,7 @@ assertCountUnauthorized(conn, "test", "foo"); // - // Validate that __system@test is not shadowed by the keyfile __system user. + // Validate that __system@admin is not shadowed by the keyfile __system user. // admin.auth('__system', 'a'); assertCountUnauthorized(conn, "admin", "foo"); diff --git a/jstests/auth1.js b/jstests/auth1.js index 5bb7bc5e908..843d7ffa2c0 100644 --- a/jstests/auth1.js +++ b/jstests/auth1.js @@ -3,7 +3,7 @@ db.removeAllUsers(); pass = "a" + Math.random(); //print( "password [" + pass + "]" ); -db.addUser( "eliot" , pass, false, 1 ); +db.addUser( "eliot" , pass, jsTest.basicUserRoles, 1 ); assert( db.auth( "eliot" , pass ) , "auth failed" ); assert( ! db.auth( "eliot" , pass + "a" ) , "auth should have failed" ); @@ -22,30 +22,30 @@ assert( ! db.auth( "eliot" , pass2 ) , "didn't remove user" ); var a = db.getMongo().getDB( "admin" ); a.removeAllUsers(); pass = "c" + Math.random(); -a.addUser( "super", pass, false, 1 ); +a.addUser( "super", pass, jsTest.adminUserRoles, 1 ); assert( a.auth( "super" , pass ) , "auth failed" ); assert( !a.auth( "super" , pass + "a" ) , "auth should have failed" ); db.removeAllUsers(); pass = "a" + Math.random(); -db.addUser( "eliot" , pass, false, 1 ); +db.addUser( "eliot" , pass, jsTest.basicUserRoles, 1 ); assert.commandFailed( db.runCommand( { authenticate: 1, user: "eliot", nonce: "foo", key: "bar" } ) ); // check sanity check SERVER-3003 -before = db.system.users.count() +before = a.system.users.count() assert.throws( function(){ - db.addUser( "" , "abc", false, 1 ) + db.addUser( "" , "abc", jsTest.basicUserRoles, 1 ) } , null , "C1" ) assert.throws( function(){ - db.addUser( "abc" , "", false, 1 ) + db.addUser( "abc" , "", jsTest.basicUserRoles, 1 ) } , null , "C2" ) -after = db.system.users.count() +after = a.system.users.count() assert( before > 0 , "C3" ) assert.eq( before , after , "C4" ) diff --git a/jstests/auth_copydb2.js b/jstests/auth_copydb2.js index fd67dbfded9..1f506f23e9e 100644 --- a/jstests/auth_copydb2.js +++ b/jstests/auth_copydb2.js @@ -3,10 +3,12 @@ b = db.getSisterDB( "copydb2-test-b" ); a.dropDatabase(); b.dropDatabase(); +a.removeAllUsers(); +b.removeAllUsers(); a.foo.save( { a : 1 } ); -a.addUser( "chevy" , "chase", false, 1 ); +a.addUser( "chevy" , "chase", jsTest.basicUserRoles, 1 ); assert.eq( 1 , a.foo.count() , "A" ); assert.eq( 0 , b.foo.count() , "B" ); diff --git a/jstests/connection_status.js b/jstests/connection_status.js index 6b4449be2f8..0bb8392427c 100644 --- a/jstests/connection_status.js +++ b/jstests/connection_status.js @@ -5,7 +5,7 @@ var myDB = db.getSiblingDB(dbName); myDB.removeAllUsers(); function test(userName) { - myDB.addUser(userName, "weak password"); + myDB.addUser(userName, "weak password", jsTest.basicUserRoles); myDB.auth(userName, "weak password"); var output = myDB.runCommand("connectionStatus"); diff --git a/jstests/evalb.js b/jstests/evalb.js index 1e043619f4b..0ce29b2997c 100644 --- a/jstests/evalb.js +++ b/jstests/evalb.js @@ -16,7 +16,7 @@ function lastOp() { try { username = 'jstests_evalb_user'; - db.addUser( username, 'password', false, 1 ); + db.addUser( username, 'password', jsTest.basicUserRoles, 1 ); db.auth( username, 'password' ); t = db.evalb; diff --git a/jstests/profile1.js b/jstests/profile1.js index 138c3d94ff5..1662ab35ff0 100644 --- a/jstests/profile1.js +++ b/jstests/profile1.js @@ -17,7 +17,7 @@ var db = db.getSisterDB("profile1"); try { username = "jstests_profile1_user"; - db.addUser( username, "password", false, 1 ); + db.addUser( username, "password", jsTest.basicUserRoles, 1 ); db.auth( username, "password" ); function profileCursor( query ) { diff --git a/jstests/profile3.js b/jstests/profile3.js index 5a350cdf089..c8e8b2ae82c 100644 --- a/jstests/profile3.js +++ b/jstests/profile3.js @@ -16,7 +16,7 @@ profileCursor = function( query ) { try { username = "jstests_profile3_user"; - db.addUser( username, "password", false, 1 ); + db.addUser( username, "password", jsTest.basicUserRoles, 1 ); db.auth( username, "password" ); db.setProfilingLevel(0); diff --git a/jstests/profile4.js b/jstests/profile4.js index 639d6eb7e9e..13632cdffba 100644 --- a/jstests/profile4.js +++ b/jstests/profile4.js @@ -28,7 +28,7 @@ function checkLastOp( spec ) { try { username = "jstests_profile4_user"; - db.addUser( username, "password", false, 1 ); + db.addUser( username, "password", jsTest.basicUserRoles, 1 ); db.auth( username, "password" ); db.setProfilingLevel(0); diff --git a/jstests/repl/repl_auth.js b/jstests/repl/repl_auth.js index 8c3318373ec..56658e5ccfb 100644 --- a/jstests/repl/repl_auth.js +++ b/jstests/repl/repl_auth.js @@ -4,7 +4,7 @@ var baseName = "jstests_repl11test"; var keyFilePath = "jstests/libs/key1"; setAdmin = function( n ) { - n.getDB( "admin" ).addUser( "super", "super", false, 3 ); + n.getDB( "admin" ).addUser( "super", "super", jsTest.adminUserRoles, 3 ); } auth = function( n ) { @@ -16,12 +16,12 @@ doTest = function(signal, extraOpts) { rt = new ReplTest( baseName ); m = rt.start( true, {}, false, true ); - m.getDB( baseName ).addUser( "test", "test", false, 3 ); + m.getDB( baseName ).addUser( "test", "test", jsTest.basicUserRoles, 3 ); + setAdmin( m ); rt.stop( true ); s = rt.start( false, {}, false, true ); - setAdmin( s ); rt.stop( false ); m = rt.start( true, { auth:null, keyFile: keyFilePath }, true ); diff --git a/jstests/replsets/auth1.js b/jstests/replsets/auth1.js index f6a9d654977..84035b890d9 100644 --- a/jstests/replsets/auth1.js +++ b/jstests/replsets/auth1.js @@ -36,8 +36,8 @@ run("chmod", "600", path+"key2"); print("add a user to server0: foo"); m = startMongodTest( port[0], name+"-0", 0 ); -m.getDB("admin").addUser("foo", "bar"); -m.getDB("test").addUser("bar", "baz"); +m.getDB("admin").addUser("foo", "bar", jsTest.adminUserRoles); +m.getDB("test").addUser("bar", "baz", jsTest.basicUserRoles); print("make sure user is written before shutting down"); m.getDB("test").getLastError(); stopMongod(port[0]); diff --git a/jstests/replsets/auth2.js b/jstests/replsets/auth2.js index 4a38c387aee..eb74b883c30 100644 --- a/jstests/replsets/auth2.js +++ b/jstests/replsets/auth2.js @@ -84,7 +84,7 @@ var rs = setupReplSet(); var master = rs.getMaster(); print("add an admin user"); -master.getDB("admin").addUser("foo","bar",false,3); +master.getDB("admin").addUser("foo","bar",jsTest.adminUserRoles,3); m = rs.nodes[0]; print("starting 1 and 2 with key file"); diff --git a/jstests/replsets/auth3.js b/jstests/replsets/auth3.js index 7408e8a34a5..624f87b4e2e 100644 --- a/jstests/replsets/auth3.js +++ b/jstests/replsets/auth3.js @@ -7,7 +7,7 @@ rs.initiate(); master = rs.getMaster(); print("adding user"); -master.getDB("admin").addUser("foo", "bar", false, 2); +master.getDB("admin").addUser("foo", "bar", jsTest.adminUserRoles, 2); var checkValidState = function(i) { assert.soon(function() { diff --git a/jstests/replsets/localhostAuthBypass.js b/jstests/replsets/localhostAuthBypass.js index 1384bb875fc..eef40c4a774 100644 --- a/jstests/replsets/localhostAuthBypass.js +++ b/jstests/replsets/localhostAuthBypass.js @@ -11,7 +11,7 @@ var password = "bar"; var addUser = function(mongo) { print("============ adding a user."); - mongo.getDB("admin").addUser(username, password); + mongo.getDB("admin").addUser(username, password, jsTest.adminUserRoles); }; var assertCannotRunCommands = function(mongo) { diff --git a/jstests/sharding/auth.js b/jstests/sharding/auth.js index d0868978208..5b1e559a8c4 100644 --- a/jstests/sharding/auth.js +++ b/jstests/sharding/auth.js @@ -52,7 +52,7 @@ if (user) { } else { print("adding user"); - s.getDB(adminUser.db).addUser(adminUser.username, adminUser.password); + s.getDB(adminUser.db).addUser(adminUser.username, adminUser.password, jsTest.adminUserRoles); } login(adminUser); @@ -112,8 +112,11 @@ s.getDB("admin").runCommand({shardCollection : "test.foo", key : {x : 1}}); d1.waitForState( d1.getSecondaries(), d1.SECONDARY, 5 * 60 * 1000 ) -s.getDB(testUser.db).addUser(testUser.username, testUser.password , false, 3 ) -s.getDB(testUserReadOnly.db).addUser(testUserReadOnly.username, testUserReadOnly.password, true, 3 ) +s.getDB(testUser.db).addUser(testUser.username, testUser.password , jsTest.basicUserRoles, 3 ) +s.getDB(testUserReadOnly.db).addUser(testUserReadOnly.username, + testUserReadOnly.password, + jsTest.readOnlyUserRoles, + 3); logout(adminUser); @@ -235,8 +238,12 @@ logout(adminUser); d2.waitForState( d2.getSecondaries(), d2.SECONDARY, 5 * 60 * 1000 ) // add admin on shard itself, hack to prevent localhost auth bypass -d1.getMaster().getDB(adminUser.db).addUser(adminUser.username, adminUser.password, false, 3); -d2.getMaster().getDB(adminUser.db).addUser(adminUser.username, adminUser.password, false, 3); +d1.getMaster().getDB(adminUser.db).addUser(adminUser.username, + adminUser.password, + jsTest.adminUserRoles, 3); +d2.getMaster().getDB(adminUser.db).addUser(adminUser.username, + adminUser.password, + jsTest.adminUserRoles, 3); login(testUser); print( "testing map reduce" ); diff --git a/jstests/sharding/auth2.js b/jstests/sharding/auth2.js index 27d529147e9..ecefcf4d6b3 100644 --- a/jstests/sharding/auth2.js +++ b/jstests/sharding/auth2.js @@ -8,7 +8,7 @@ var mongos = st.s; var adminDB = mongos.getDB('admin'); var db = mongos.getDB('test') -adminDB.addUser('admin', 'password'); +adminDB.addUser('admin', 'password', jsTest.adminUserRoles); jsTestLog( "Add user was successful" ); diff --git a/jstests/sharding/authConnectionHook.js b/jstests/sharding/authConnectionHook.js index b4174a88f99..6c1f2d3f08e 100644 --- a/jstests/sharding/authConnectionHook.js +++ b/jstests/sharding/authConnectionHook.js @@ -7,7 +7,7 @@ var mongos = st.s; var adminDB = mongos.getDB('admin'); var db = mongos.getDB('test') -adminDB.addUser('admin', 'password'); +adminDB.addUser('admin', 'password', jsTest.adminUserRoles); adminDB.auth('admin', 'password'); diff --git a/jstests/sharding/auth_add_shard.js b/jstests/sharding/auth_add_shard.js index 31f5cf8a143..de518b1ab7d 100644 --- a/jstests/sharding/auth_add_shard.js +++ b/jstests/sharding/auth_add_shard.js @@ -33,7 +33,7 @@ if (user) { } else { print("adding user"); - mongos.getDB(adminUser.db).addUser(adminUser.username, adminUser.password); + mongos.getDB(adminUser.db).addUser(adminUser.username, adminUser.password, jsTest.adminUserRoles); } //login as admin user diff --git a/jstests/sharding/auth_repl.js b/jstests/sharding/auth_repl.js index 38b03d40a42..837381f6f58 100644 --- a/jstests/sharding/auth_repl.js +++ b/jstests/sharding/auth_repl.js @@ -26,12 +26,12 @@ assert(doc != null); // Add admin user using direct connection to primary to simulate connection from remote host var adminDB = primary.getDB('admin'); -adminDB.addUser('user', 'user', false, nodeCount); +adminDB.addUser('user', 'user', jsTest.adminUserRoles, nodeCount); adminDB.runCommand({ getLastError: 1, w: nodeCount }); // TODO: remove after fixing SERVER-9980 adminDB.auth('user', 'user'); var priTestDB = primary.getDB('test'); -priTestDB.addUser('a', 'a', false, nodeCount); +priTestDB.addUser('a', 'a', jsTest.basicUserRoles, nodeCount); priTestDB.runCommand({ getLastError: 1, w: nodeCount }); // TODO: remove after fixing SERVER-9980 // Authenticate the replSet connection diff --git a/jstests/sharding/auth_slaveok_routing.js b/jstests/sharding/auth_slaveok_routing.js index 4c17588978e..45533b9ae11 100644 --- a/jstests/sharding/auth_slaveok_routing.js +++ b/jstests/sharding/auth_slaveok_routing.js @@ -38,10 +38,10 @@ var nodeCount = replTest.nodes.length; * is no admin user. */ var adminDB = mongos.getDB( 'admin' ) -adminDB.addUser('user', 'password', false); +adminDB.addUser('user', 'password', jsTest.adminUserRoles); adminDB.auth( 'user', 'password' ); var priAdminDB = replTest.getPrimary().getDB( 'admin' ); -priAdminDB.addUser( 'user', 'password', false, 3 ); +priAdminDB.addUser( 'user', 'password', jsTest.adminUserRoles, 3 ); coll.drop(); coll.setSlaveOk( true ); diff --git a/jstests/sharding/authmr.js b/jstests/sharding/authmr.js index 02b01e31b7b..c0368c88a51 100644 --- a/jstests/sharding/authmr.js +++ b/jstests/sharding/authmr.js @@ -17,8 +17,7 @@ var adminUser = { var test1User = { user: "test", pwd: "a", - roles: [], - otherDBRoles: { test1: [ "readWrite" ] } + roles: [{name: 'readWrite', source: 'test1', hasRole: true, canDelegate: false}] }; function assertGLEOK(status) { diff --git a/jstests/sharding/authwhere.js b/jstests/sharding/authwhere.js index 651c04d731a..e15feb18b9a 100644 --- a/jstests/sharding/authwhere.js +++ b/jstests/sharding/authwhere.js @@ -17,8 +17,7 @@ var adminUser = { var test1Reader = { user: "test", pwd: "a", - roles: [], - otherDBRoles: { test1: [ "read" ] } + roles: [{name: 'read', source: 'test1', hasRole:true, canDelegate: false}] }; function assertGLEOK(status) { diff --git a/jstests/sharding/localhostAuthBypass.js b/jstests/sharding/localhostAuthBypass.js index 871d71fa706..2cff2745f5c 100644 --- a/jstests/sharding/localhostAuthBypass.js +++ b/jstests/sharding/localhostAuthBypass.js @@ -12,14 +12,14 @@ var password = "bar"; var addUser = function(mongo) { print("============ adding a user."); - mongo.getDB("admin").addUser(username, password); + mongo.getDB("admin").addUser(username, password, jsTest.adminUserRoles); }; var addUsersToEachShard = function(st) { for(i = 0; i < numShards; i++) { print("============ adding a user to shard " + i); var d = st["shard" + i]; - d.getDB("admin").addUser(username, password); + d.getDB("admin").addUser(username, password, jsTest.adminUserRoles); } }; diff --git a/jstests/sharding/mrShardedOutputAuth.js b/jstests/sharding/mrShardedOutputAuth.js index 84b19f76a11..d4fc72a280f 100644 --- a/jstests/sharding/mrShardedOutputAuth.js +++ b/jstests/sharding/mrShardedOutputAuth.js @@ -53,7 +53,7 @@ var st = new ShardingTest( testName = "mrShardedOutputAuth", // setup the users to the input, output and admin databases var mongos = st.s; var adminDb = mongos.getDB("admin"); -adminDb.addUser("user", "pass", false); +adminDb.addUser("user", "pass", jsTest.adminUserRoles); var authenticatedConn = new Mongo(mongos.host); authenticatedConn.getDB('admin').auth("user", "pass"); @@ -62,10 +62,10 @@ adminDb = authenticatedConn.getDB("admin"); var configDb = authenticatedConn.getDB("config"); var inputDb = authenticatedConn.getDB("input") -inputDb.addUser("user", "pass", false, 1); +inputDb.addUser("user", "pass", jsTest.basicUserRoles, 1); var outputDb = authenticatedConn.getDB("output"); -outputDb.addUser("user", "pass"); +outputDb.addUser("user", "pass", jsTest.basicUserRoles); // setup the input db inputDb.numbers.drop(); diff --git a/jstests/slowNightly/server7428.js b/jstests/slowNightly/server7428.js index 6a27e102367..3ce4b6eb960 100644 --- a/jstests/slowNightly/server7428.js +++ b/jstests/slowNightly/server7428.js @@ -9,7 +9,7 @@ var fromDb = MongoRunner.runMongod({ port: 29000 }); // Setup toDb with auth var toDb = MongoRunner.runMongod({auth : "", port : 31001}); var admin = toDb.getDB("admin"); -admin.addUser("foo","bar"); +admin.addUser("foo","bar", jsTest.adminUserRoles); admin.auth("foo","bar"); admin.copyDatabase('test', 'test', fromDb.host) diff --git a/jstests/tool/dumpauth.js b/jstests/tool/dumpauth.js index fbc4bac8a82..67c7b2eccc2 100644 --- a/jstests/tool/dumpauth.js +++ b/jstests/tool/dumpauth.js @@ -13,7 +13,7 @@ for(var i = 0; i < 100; i++) { t["testcol"].save({ "x": i }); } -db.addUser( "testuser" , "testuser" ); +db.addUser( "testuser" , "testuser", jsTest.adminUserRoles ); assert( db.auth( "testuser" , "testuser" ) , "auth failed" ); diff --git a/jstests/tool/dumprestore5.js b/jstests/tool/dumprestore5.js index e2925f87bce..ffd419cf4b6 100644 --- a/jstests/tool/dumprestore5.js +++ b/jstests/tool/dumprestore5.js @@ -4,9 +4,9 @@ t = new ToolTest( "dumprestore5" ); t.startDB( "foo" ); -db = t.db +db = t.db.getSiblingDB("admin") -db.addUser('user','password') +db.addUser('user','password', jsTest.basicUserRoles) assert.eq(1, db.system.users.count(), "setup") assert.eq(2, db.system.indexes.count(), "setup2") @@ -21,16 +21,16 @@ assert.eq(0, db.system.indexes.count(), "didn't drop indexes") t.runTool("restore", "--dir", t.ext) assert.soon("db.system.users.findOne()", "no data after restore"); -assert.eq(1, db.system.users.find({user:'user'}).count(), "didn't restore users") +assert.eq(1, db.system.users.find({name:'user'}).count(), "didn't restore users") assert.eq(2, db.system.indexes.count(), "didn't restore indexes") db.removeUser('user') -db.addUser('user2', 'password2') +db.addUser('user2', 'password2', jsTest.basicUserRoles) t.runTool("restore", "--dir", t.ext, "--drop") -assert.soon("1 == db.system.users.find({user:'user'}).count()", "didn't restore users 2") -assert.eq(0, db.system.users.find({user:'user2'}).count(), "didn't drop users") +assert.soon("1 == db.system.users.find({name:'user'}).count()", "didn't restore users 2") +assert.eq(0, db.system.users.find({name:'user2'}).count(), "didn't drop users") assert.eq(2, db.system.indexes.count(), "didn't maintain indexes") t.stop(); diff --git a/jstests/tool/dumprestore_auth.js b/jstests/tool/dumprestore_auth.js index 6f0e6c0a05c..f1b16d08714 100644 --- a/jstests/tool/dumprestore_auth.js +++ b/jstests/tool/dumprestore_auth.js @@ -5,7 +5,7 @@ t = new ToolTest("dumprestore_auth", { auth : "" }); c = t.startDB("foo"); adminDB = c.getDB().getSiblingDB('admin'); -adminDB.addUser('admin', 'password'); +adminDB.addUser('admin', 'password', jsTest.adminUserRoles); adminDB.auth('admin','password'); assert.eq(0 , c.count() , "setup1"); diff --git a/jstests/tool/restorewithauth.js b/jstests/tool/restorewithauth.js index 8f743e19c62..7e198efcbab 100644 --- a/jstests/tool/restorewithauth.js +++ b/jstests/tool/restorewithauth.js @@ -52,7 +52,7 @@ conn = startMongod( "--auth", "--port", port, "--dbpath", "/data/db/" + baseName // admin user var admin = conn.getDB( "admin" ) -admin.addUser( "admin" , "admin" ); +admin.addUser( "admin" , "admin", jsTest.adminUserRoles ); admin.auth( "admin" , "admin" ); var foo = conn.getDB( "foo" ) @@ -92,7 +92,7 @@ foo.dropDatabase(); assert.eq(foo.system.namespaces.count({name: "foo.bar"}), 0); assert.eq(foo.system.namespaces.count({name: "foo.baz"}), 0); -foo.addUser('user', 'password'); +foo.addUser('user', 'password', jsTest.basicUserRoles); // now try to restore dump with foo database credentials x = runMongoProgram("mongorestore", @@ -108,6 +108,6 @@ assert.eq(foo.system.namespaces.count({name: "foo.bar"}), 1); assert.eq(foo.system.namespaces.count({name: "foo.baz"}), 1); assert.eq(foo.bar.count(), 4); assert.eq(foo.baz.count(), 4); -assert.eq(foo.system.indexes.count(), 5); // _id on foo, _id on bar, x on foo, _id + 1 on system.users +assert.eq(foo.system.indexes.count(), 3); // _id on foo, _id on bar, x on foo stopMongod( port ); diff --git a/jstests/tool/stat1.js b/jstests/tool/stat1.js index 23fba448d45..d26581ee8be 100644 --- a/jstests/tool/stat1.js +++ b/jstests/tool/stat1.js @@ -11,7 +11,7 @@ t.drop(); db.removeAllUsers(); -db.addUser( "eliot" , "eliot" ); +db.addUser( "eliot" , "eliot", jsTest.adminUserRoles ); assert( db.auth( "eliot" , "eliot" ) , "auth failed" ); diff --git a/jstests/validate_user_documents.js b/jstests/validate_user_documents.js index 84654628bea..c35ae38c276 100644 --- a/jstests/validate_user_documents.js +++ b/jstests/validate_user_documents.js @@ -14,32 +14,41 @@ function assertGLENotOK(status) { } mydb.dropDatabase(); +mydb.removeAllUsers(); // // Tests of the insert path // -// Valid compatibility document; insert should succeed. -assert.commandWorked(mydb.runCommand({ createUser:1, +// V0 user document document; insert should fail. +assert.commandFailed(mydb.runCommand({ createUser:1, user: "spencer", - pwd: "spencer", + pwd: "password", readOnly: true })); -// Invalid compatibility document; insert should fail. -assert.commandFailed(mydb.runCommand({ createUser:1, user: "andy", readOnly: true })); - -// Valid extended document; insert should succeed. -assert.commandWorked(mydb.runCommand({ createUser:1, +// V1 user document; insert should fail. +assert.commandFailed(mydb.runCommand({ createUser:1, user: "spencer", userSource: "test2", roles: ["dbAdmin"] })); -// Invalid extended document; insert should fail. -assert.commandFailed(mydb.runCommand({ createUser:1, - user: "andy", - userSource: "test2", - roles: ["dbAdmin", 15] })); +// Valid V2 user document; insert should succeed. +assert.commandWorked(mydb.runCommand({ createUser: "spencer", + pwd: "password", + roles: ["dbAdmin"] })); + +// Valid V2 user document; insert should succeed. +assert.commandWorked(mydb.runCommand({ createUser: "andy", + pwd: "password", + roles: [{name: "dbAdmin", + source: "validate_user_documents", + hasRole: true, + canDelegate: false}] })); +// Non-existent role; insert should fail +assert.commandFailed(mydb.runCommand({ createUser: "bob", + pwd: "password", + roles: ["fakeRole123"] })); // // Tests of the update path diff --git a/src/mongo/client/examples/authTest.cpp b/src/mongo/client/examples/authTest.cpp index ed3f4049291..194590d027c 100644 --- a/src/mongo/client/examples/authTest.cpp +++ b/src/mongo/client/examples/authTest.cpp @@ -47,10 +47,15 @@ int main( int argc, const char **argv ) { return EXIT_FAILURE; } + BSONObj ret; // clean up old data from any previous tests - conn->remove( "test.system.users" , BSONObj() ); + conn->runCommand( "test", BSON("removeUsersFromDatabase" << 1), ret ); - conn->insert( "test.system.users" , BSON( "user" << "eliot" << "pwd" << conn->createPasswordDigest( "eliot" , "bar" ) ) ); + conn->runCommand( "test", + BSON( "createUser" << "eliot" << + "pwd" << "bar" << + "roles" << BSON_ARRAY("readWrite")), + ret); errmsg.clear(); conn->auth(BSON("user" << "eliot" << diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index 858ca5c69e1..a053c9c7cc7 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -53,9 +53,9 @@ namespace { AuthzManagerExternalStateMock* externalState; }; - class PrivilegeDocumentParsing : public AuthorizationManagerTest { + class V1PrivilegeDocumentParsing : public AuthorizationManagerTest { public: - PrivilegeDocumentParsing() {} + V1PrivilegeDocumentParsing() {} scoped_ptr<User> user; scoped_ptr<User> adminUser; @@ -64,10 +64,11 @@ namespace { AuthorizationManagerTest::setUp(); user.reset(new User(UserName("spencer", "test"))); adminUser.reset(new User(UserName("admin", "admin"))); + authzManager->setAuthorizationVersion(1); } }; - TEST_F(PrivilegeDocumentParsing, testParsingV0PrivilegeDocuments) { + TEST_F(V1PrivilegeDocumentParsing, testParsingV0PrivilegeDocuments) { User user(UserName("Spencer", "test")); User adminUser(UserName("Spencer", "admin")); BSONObj invalid; @@ -101,21 +102,21 @@ namespace { ASSERT(adminUser.getActionsForResource("*").contains(ActionType::insert)); } - TEST_F(PrivilegeDocumentParsing, VerifyRolesFieldMustBeAnArray) { + TEST_F(V1PrivilegeDocumentParsing, VerifyRolesFieldMustBeAnArray) { ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << "pwd" << "" << "roles" << "read"))); ASSERT(user->getActionsForResource("test").empty()); } - TEST_F(PrivilegeDocumentParsing, VerifyInvalidRoleGrantsNoPrivileges) { + TEST_F(V1PrivilegeDocumentParsing, VerifyInvalidRoleGrantsNoPrivileges) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << "pwd" << "" << "roles" << BSON_ARRAY("frim")))); ASSERT(user->getActionsForResource("test").empty()); } - TEST_F(PrivilegeDocumentParsing, VerifyInvalidRoleStillAllowsOtherRoles) { + TEST_F(V1PrivilegeDocumentParsing, VerifyInvalidRoleStillAllowsOtherRoles) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << @@ -124,7 +125,7 @@ namespace { ASSERT(user->getActionsForResource("test").contains(ActionType::find)); } - TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterAdminRoleFromNonAdminDatabase) { + TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterAdminRoleFromNonAdminDatabase) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << @@ -135,7 +136,7 @@ namespace { ASSERT(!user->getActionsForResource("test").contains(ActionType::dropDatabase)); } - TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterReadFromNonAdminDatabase) { + TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterReadFromNonAdminDatabase) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << @@ -145,7 +146,7 @@ namespace { ASSERT(!user->getActionsForResource("test2").contains(ActionType::find)); } - TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterReadWriteFromNonAdminDatabase) { + TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterReadWriteFromNonAdminDatabase) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << @@ -156,7 +157,7 @@ namespace { ASSERT(!user->getActionsForResource("test2").contains(ActionType::insert)); } - TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterUserAdminFromNonAdminDatabase) { + TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterUserAdminFromNonAdminDatabase) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << @@ -167,7 +168,7 @@ namespace { ASSERT(!user->getActionsForResource("test2").contains(ActionType::userAdmin)); } - TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterDBAdminFromNonAdminDatabase) { + TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterDBAdminFromNonAdminDatabase) { ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), BSON("user" << "spencer" << @@ -178,7 +179,7 @@ namespace { ASSERT(!user->getActionsForResource("test2").contains(ActionType::clean)); } - TEST_F(PrivilegeDocumentParsing, VerifyOtherDBRolesMustBeAnObjectOfArraysOfStrings) { + TEST_F(V1PrivilegeDocumentParsing, VerifyOtherDBRolesMustBeAnObjectOfArraysOfStrings) { ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), BSON("user" << "admin" << @@ -200,7 +201,7 @@ namespace { ASSERT(!adminUser->getActionsForResource("admin").contains(ActionType::find)); } - TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormally) { + TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormally) { // Cannot grant privileges on other databases, except from admin database. ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), @@ -213,7 +214,7 @@ namespace { ASSERT(!user->getActionsForResource("admin").contains(ActionType::find)); } - TEST_F(PrivilegeDocumentParsing, SuccessfulSimpleReadGrant) { + TEST_F(V1PrivilegeDocumentParsing, SuccessfulSimpleReadGrant) { // Grant read on test. ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), @@ -225,7 +226,7 @@ namespace { ASSERT(!user->getActionsForResource("admin").contains(ActionType::find)); } - TEST_F(PrivilegeDocumentParsing, SuccessfulSimpleUserAdminTest) { + TEST_F(V1PrivilegeDocumentParsing, SuccessfulSimpleUserAdminTest) { // Grant userAdmin on "test" database. ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), @@ -237,7 +238,7 @@ namespace { ASSERT(!user->getActionsForResource("admin").contains(ActionType::userAdmin)); } - TEST_F(PrivilegeDocumentParsing, GrantUserAdminOnAdmin) { + TEST_F(V1PrivilegeDocumentParsing, GrantUserAdminOnAdmin) { // Grant userAdmin on admin. ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), @@ -249,7 +250,7 @@ namespace { ASSERT(adminUser->getActionsForResource("admin").contains(ActionType::userAdmin)); } - TEST_F(PrivilegeDocumentParsing, GrantUserAdminOnTestViaAdmin) { + TEST_F(V1PrivilegeDocumentParsing, GrantUserAdminOnTestViaAdmin) { // Grant userAdmin on test via admin. ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), @@ -262,7 +263,7 @@ namespace { ASSERT(!adminUser->getActionsForResource("admin").contains(ActionType::userAdmin)); } - TEST_F(PrivilegeDocumentParsing, SuccessfulClusterAdminTest) { + TEST_F(V1PrivilegeDocumentParsing, SuccessfulClusterAdminTest) { // Grant userAdminAnyDatabase. ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), @@ -273,7 +274,7 @@ namespace { } - TEST_F(PrivilegeDocumentParsing, GrantClusterReadWrite) { + TEST_F(V1PrivilegeDocumentParsing, GrantClusterReadWrite) { // Grant readWrite on everything via the admin database. ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), @@ -284,7 +285,7 @@ namespace { ASSERT(adminUser->getActionsForResource("*").contains(ActionType::insert)); } - TEST_F(PrivilegeDocumentParsing, ProhibitGrantOnWildcard) { + TEST_F(V1PrivilegeDocumentParsing, ProhibitGrantOnWildcard) { // Cannot grant readWrite to everything using "otherDBRoles". ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), @@ -300,7 +301,7 @@ namespace { ASSERT(!adminUser->getActionsForResource("admin").contains(ActionType::insert)); } - TEST_F(PrivilegeDocumentParsing, GrantClusterAdmin) { + TEST_F(V1PrivilegeDocumentParsing, GrantClusterAdmin) { // Grant cluster admin ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument( adminUser.get(), @@ -312,7 +313,7 @@ namespace { ASSERT(adminUser->getActionsForResource("*").contains(ActionType::moveChunk)); } - TEST_F(PrivilegeDocumentParsing, GetPrivilegesFromPrivilegeDocumentInvalid) { + TEST_F(V1PrivilegeDocumentParsing, GetPrivilegesFromPrivilegeDocumentInvalid) { // Try to mix fields from V0 and V1 privilege documents and make sure it fails. ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument( user.get(), @@ -326,12 +327,14 @@ namespace { TEST_F(AuthorizationManagerTest, testAquireV0User) { - ASSERT_OK(externalState->insertPrivilegeDocument( - "test", - BSON("user" << "v0RW" << "pwd" << "password"))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "admin", - BSON("user" << "v0AdminRO" << "pwd" << "password" << "readOnly" << true))); + authzManager->setAuthorizationVersion(1); + + ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), + BSON("user" << "v0RW" << "pwd" << "password"))); + ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"), + BSON("user" << "v0AdminRO" << + "pwd" << "password" << + "readOnly" << true))); User* v0RW; ASSERT_OK(authzManager->acquireUser(UserName("v0RW", "test"), &v0RW)); @@ -376,16 +379,16 @@ namespace { } TEST_F(AuthorizationManagerTest, testAquireV1User) { - ASSERT_OK(externalState->insertPrivilegeDocument( - "test", - BSON("user" << "v1read" << - "pwd" << "password" << - "roles" << BSON_ARRAY("read")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "admin", - BSON("user" << "v1cluster" << - "pwd" << "password" << - "roles" << BSON_ARRAY("clusterAdmin")))); + authzManager->setAuthorizationVersion(1); + + ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), + BSON("user" << "v1read" << + "pwd" << "password" << + "roles" << BSON_ARRAY("read")))); + ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"), + BSON("user" << "v1cluster" << + "pwd" << "password" << + "roles" << BSON_ARRAY("clusterAdmin")))); User* v1read; ASSERT_OK(authzManager->acquireUser(UserName("v1read", "test"), &v1read)); @@ -428,26 +431,24 @@ namespace { } TEST_F(AuthorizationManagerTest, initializeAllV1UserData) { - ASSERT_OK(externalState->insertPrivilegeDocument( - "test", - BSON("user" << "readOnly" << - "pwd" << "password" << - "roles" << BSON_ARRAY("read")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "admin", - BSON("user" << "clusterAdmin" << - "userSource" << "$external" << - "roles" << BSON_ARRAY("clusterAdmin")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "test", - BSON("user" << "readWriteMultiDB" << - "pwd" << "password" << - "roles" << BSON_ARRAY("readWrite")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "test2", - BSON("user" << "readWriteMultiDB" << - "userSource" << "test" << - "roles" << BSON_ARRAY("readWrite")))); + authzManager->setAuthorizationVersion(1); + + ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), + BSON("user" << "readOnly" << + "pwd" << "password" << + "roles" << BSON_ARRAY("read")))); + ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"), + BSON("user" << "clusterAdmin" << + "userSource" << "$external" << + "roles" << BSON_ARRAY("clusterAdmin")))); + ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), + BSON("user" << "readWriteMultiDB" << + "pwd" << "password" << + "roles" << BSON_ARRAY("readWrite")))); + ASSERT_OK(externalState->insert(NamespaceString("test2.system.users"), + BSON("user" << "readWriteMultiDB" << + "userSource" << "test" << + "roles" << BSON_ARRAY("readWrite")))); Status status = authzManager->initialize(); ASSERT_OK(status); @@ -612,23 +613,19 @@ namespace { static const NamespaceString newUsersCollectioName; void setUpV1UserData() { - ASSERT_OK(externalState->insertPrivilegeDocument( - "test", + ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), BSON("user" << "readOnly" << "pwd" << "password" << "roles" << BSON_ARRAY("read")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "admin", + ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"), BSON("user" << "clusterAdmin" << "userSource" << "$external" << "roles" << BSON_ARRAY("clusterAdmin")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "test", + ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), BSON("user" << "readWriteMultiDB" << "pwd" << "password" << "roles" << BSON_ARRAY("readWrite")))); - ASSERT_OK(externalState->insertPrivilegeDocument( - "test2", + ASSERT_OK(externalState->insert(NamespaceString("test2.system.users"), BSON("user" << "readWriteMultiDB" << "userSource" << "test" << "roles" << BSON_ARRAY("readWrite")))); @@ -700,6 +697,7 @@ namespace { const NamespaceString AuthzUpgradeTest::newUsersCollectioName("admin._newusers"); TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2Clean) { + authzManager->setAuthorizationVersion(1); setUpV1UserData(); ASSERT_OK(authzManager->upgradeAuthCollections()); @@ -708,6 +706,7 @@ namespace { } TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2WithSysVerDoc) { + authzManager->setAuthorizationVersion(1); setUpV1UserData(); ASSERT_OK(externalState->insert(versionCollectionName, BSON("_id" << 1 << "currentVersion" << 1))); @@ -718,6 +717,7 @@ namespace { } TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2FailsWithBadInitialVersionDoc) { + authzManager->setAuthorizationVersion(1); setUpV1UserData(); ASSERT_OK(externalState->insert(versionCollectionName, BSON("_id" << 1 << "currentVersion" << 3))); @@ -730,6 +730,7 @@ namespace { } TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2FailsWithVersionDocMispatch) { + authzManager->setAuthorizationVersion(1); setUpV1UserData(); ASSERT_OK(externalState->insert(versionCollectionName, BSON("_id" << 1 << "currentVersion" << 2))); diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index 1a338bbd10e..5ca4ff21550 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -85,10 +85,18 @@ namespace { authzSession->addAndAuthorizeUser(UserName("spencer", "test"))); // Add a user with readWrite and dbAdmin on the test DB - ASSERT_OK(managerState->insertPrivilegeDocument("test", - BSON("user" << "spencer" << - "pwd" << "a" << - "roles" << BSON_ARRAY("readWrite" << "dbAdmin")))); + ASSERT_OK(managerState->insertPrivilegeDocument("admin", + BSON("name" << "spencer" << + "source" << "test" << + "credentials" << BSON("MONGODB-CR" << "a") << + "roles" << BSON_ARRAY(BSON("name" << "readWrite" << + "source" << "test" << + "hasRole" << true << + "canDelegate" << false) << + BSON("name" << "dbAdmin" << + "source" << "test" << + "hasRole" << true << + "canDelegate" << false))))); ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("spencer", "test"))); ASSERT_TRUE(authzSession->checkAuthorization("test", ActionType::insert)); @@ -99,9 +107,13 @@ namespace { // Add an admin user with readWriteAnyDatabase ASSERT_OK(managerState->insertPrivilegeDocument("admin", - BSON("user" << "admin" << - "pwd" << "a" << - "roles" << BSON_ARRAY("readWriteAnyDatabase")))); + BSON("name" << "admin" << + "source" << "admin" << + "credentials" << BSON("MONGODB-CR" << "a") << + "roles" << BSON_ARRAY(BSON("name" << "readWriteAnyDatabase" << + "source" << "admin" << + "hasRole" << true << + "canDelegate" << false))))); ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("admin", "admin"))); ASSERT_TRUE(authzSession->checkAuthorization("*", ActionType::insert)); @@ -123,10 +135,14 @@ namespace { TEST_F(AuthorizationSessionTest, InvalidateUser) { // Add a readWrite user - ASSERT_OK(managerState->insertPrivilegeDocument("test", - BSON("user" << "spencer" << - "pwd" << "a" << - "roles" << BSON_ARRAY("readWrite")))); + ASSERT_OK(managerState->insertPrivilegeDocument("admin", + BSON("name" << "spencer" << + "source" << "test" << + "credentials" << BSON("MONGODB-CR" << "a") << + "roles" << BSON_ARRAY(BSON("name" << "readWrite" << + "source" << "test" << + "hasRole" << true << + "canDelegate" << false))))); ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("spencer", "test"))); ASSERT_TRUE(authzSession->checkAuthorization("test", ActionType::find)); @@ -137,10 +153,14 @@ namespace { // Change the user to be read-only managerState->clearPrivilegeDocuments(); - ASSERT_OK(managerState->insertPrivilegeDocument("test", - BSON("user" << "spencer" << - "pwd" << "a" << - "roles" << BSON_ARRAY("read")))); + ASSERT_OK(managerState->insertPrivilegeDocument("admin", + BSON("name" << "spencer" << + "source" << "test" << + "credentials" << BSON("MONGODB-CR" << "a") << + "roles" << BSON_ARRAY(BSON("name" << "read" << + "source" << "test" << + "hasRole" << true << + "canDelegate" << false))))); // Make sure that invalidating the user causes the session to reload its privileges. authzManager->invalidateUser(user); @@ -161,10 +181,14 @@ namespace { TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) { // Add a readWrite user - ASSERT_OK(managerState->insertPrivilegeDocument("test", - BSON("user" << "spencer" << - "pwd" << "a" << - "roles" << BSON_ARRAY("readWrite")))); + ASSERT_OK(managerState->insertPrivilegeDocument("admin", + BSON("name" << "spencer" << + "source" << "test" << + "credentials" << BSON("MONGODB-CR" << "a") << + "roles" << BSON_ARRAY(BSON("name" << "readWrite" << + "source" << "test" << + "hasRole" << true << + "canDelegate" << false))))); ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("spencer", "test"))); ASSERT_TRUE(authzSession->checkAuthorization("test", ActionType::find)); @@ -176,10 +200,14 @@ namespace { // Change the user to be read-only managerState->setFindsShouldFail(true); managerState->clearPrivilegeDocuments(); - ASSERT_OK(managerState->insertPrivilegeDocument("test", - BSON("user" << "spencer" << - "pwd" << "a" << - "roles" << BSON_ARRAY("read")))); + ASSERT_OK(managerState->insertPrivilegeDocument("admin", + BSON("name" << "spencer" << + "source" << "test" << + "credentials" << BSON("MONGODB-CR" << "a") << + "roles" << BSON_ARRAY(BSON("name" << "read" << + "source" << "test" << + "hasRole" << true << + "canDelegate" << false))))); // Even though the user's privileges have been reduced, since we've configured user // document lookup to fail, the authz session should continue to use its known out-of-date @@ -191,15 +219,17 @@ namespace { TEST_F(AuthorizationSessionTest, ImplicitAcquireFromSomeDatabasesWithV1Users) { - managerState->insertPrivilegeDocument("test", + authzManager->setAuthorizationVersion(1); + + managerState->insert(NamespaceString("test.system.users"), BSON("user" << "andy" << "pwd" << "a" << "roles" << BSON_ARRAY("readWrite"))); - managerState->insertPrivilegeDocument("test2", + managerState->insert(NamespaceString("test2.system.users"), BSON("user" << "andy" << "userSource" << "test" << "roles" << BSON_ARRAY("read"))); - managerState->insertPrivilegeDocument("admin", + managerState->insert(NamespaceString("admin.system.users"), BSON("user" << "andy" << "userSource" << "test" << "roles" << BSON_ARRAY("clusterAdmin") << diff --git a/src/mongo/db/auth/authz_manager_external_state_mock.cpp b/src/mongo/db/auth/authz_manager_external_state_mock.cpp index 82afca81614..e5fbbbc4853 100644 --- a/src/mongo/db/auth/authz_manager_external_state_mock.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_mock.cpp @@ -43,7 +43,7 @@ namespace mongo { Status AuthzManagerExternalStateMock::insertPrivilegeDocument(const std::string& dbname, const BSONObj& userObj) { - NamespaceString usersCollection(dbname + ".system.users"); + NamespaceString usersCollection("admin.system.users"); return insert(usersCollection, userObj); } diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js index 0622e50b445..8b54e9f2430 100644 --- a/src/mongo/shell/db.js +++ b/src/mongo/shell/db.js @@ -283,7 +283,8 @@ DB.prototype.removeUser = function( username ){ return true; } - if (res.errmsg.startsWith("No users found on database")) { + var notFoundErrmsg = "User '" + username + "@" + this.getName() + "' not found"; + if (res.errmsg == notFoundErrmsg) { return false; } diff --git a/src/mongo/shell/utils.js b/src/mongo/shell/utils.js index df35d9b0cab..76a2d3c8a14 100644 --- a/src/mongo/shell/utils.js +++ b/src/mongo/shell/utils.js @@ -205,6 +205,8 @@ if ( typeof _threadInject != "undefined" ){ "jstests/extent.js", "jstests/indexb.js", "jstests/profile1.js", + "jstests/profile3.js", + "jstests/profile4.js", "jstests/mr3.js", "jstests/indexh.js", "jstests/apitest_db.js", @@ -229,7 +231,11 @@ if ( typeof _threadInject != "undefined" ){ ] ); // some tests can't be run in parallel with each other - var serialTestsArr = [ "jstests/fsync.js" + var serialTestsArr = [ "jstests/fsync.js", + "jstests/auth1.js", + "jstests/auth_copydb2.js", + "jstests/connection_status.js", + "jstests/validate_user_documents.js" // ,"jstests/fsync2.js" // SERVER-4243 ]; var serialTests = makeKeys( serialTestsArr ); @@ -396,6 +402,12 @@ jsTest.path = jsTestPath jsTest.options = jsTestOptions jsTest.setOption = setJsTestOption jsTest.log = jsTestLog +jsTest.readOnlyUserRoles = ["read"] +jsTest.basicUserRoles = ["readWrite", "dbAdmin", "userAdmin"] +jsTest.adminUserRoles = ["clusterAdmin", + "userAdminAnyDatabase", + "dbAdminAnyDatabase", + "readWriteAnyDatabase"] jsTest.dir = function(){ return jsTest.path().replace( /\/[^\/]+$/, "/" ) @@ -424,7 +436,7 @@ jsTest.addAuth = function(conn) { } print ("Adding admin user on connection: " + localconn); return localconn.getDB('admin').addUser(jsTestOptions().adminUser, jsTestOptions().adminPassword, - false, 'majority', 60000); + jsTest.adminUserRoles, 'majority', 60000); } jsTest.authenticate = function(conn) { |