diff options
| author | Tommaso Tocci <tommaso.tocci@mongodb.com> | 2022-09-16 12:53:27 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-09-16 13:42:37 +0000 |
| commit | 8fefbc6c5545b188900d26c0d4d448628a9ba98b (patch) | |
| tree | f52710e482e894ad4fa13896665a63d96e5a44c5 | |
| parent | 96cbfd35f635d64d81b58d807bdfe50d90152415 (diff) | |
| download | mongo-8fefbc6c5545b188900d26c0d4d448628a9ba98b.tar.gz | |
SERVER-67394 Forbid DDL operations directly on bucket namespaces
| -rw-r--r-- | jstests/auth/timeseries_ddl.js | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/jstests/auth/timeseries_ddl.js b/jstests/auth/timeseries_ddl.js new file mode 100644 index 00000000000..e5be7c02975 --- /dev/null +++ b/jstests/auth/timeseries_ddl.js @@ -0,0 +1,66 @@ +/** + * Verify that DDL operations on timeseries bucket namesapces requires special authorization + * + * @tags: [ + * requires_fcv_61, + * ] + */ + +(function() { +'use strict'; + +const dbName = jsTest.name() + "_db"; +const normalCollName = "normalColl"; +const timeseriesCollName = "timeseriesColl"; +const bucketCollName = "system.buckets." + timeseriesCollName; +const pass = "password"; +const skeyPattern = { + k: 1 +}; + +const st = new ShardingTest({keyFile: "jstests/libs/key1", other: {shardOptions: {auth: ""}}}); + +// Create the admin user. +st.admin.createUser({user: "root", pwd: pass, roles: ["userAdminAnyDatabase"]}); + +assert(st.admin.auth("root", pass)); + +const db = st.s.getDB(dbName); + +db.createUser({user: "rw", pwd: pass, roles: ["readWrite"]}); +db.createUser({ + user: "c2c", + pwd: pass, + roles: [{db: "admin", role: "restore"}, {db: "admin", role: "backup"}] +}); +st.admin.logout(); + +function createCollectionsAsRegularUser() { + assert(db.auth("rw", pass)); + assert.commandWorked(db.createCollection(normalCollName)); + assert.commandWorked( + db.createCollection(timeseriesCollName, {timeseries: {timeField: "time"}})); + assert.commandFailedWithCode(db.createCollection(bucketCollName), ErrorCodes.Unauthorized); + db.logout(); +} + +{ + createCollectionsAsRegularUser(); + assert(db.auth("rw", pass)); + assert.commandWorked(db.runCommand({drop: normalCollName})); + assert.commandFailedWithCode(db.runCommand({drop: bucketCollName}), ErrorCodes.Unauthorized); + assert.commandWorked(db.runCommand({drop: timeseriesCollName})); + db.logout(); +} + +{ + createCollectionsAsRegularUser(); + assert(db.auth("c2c", pass)); + assert.commandWorked(db.runCommand({drop: normalCollName})); + assert.commandWorked(db.runCommand({drop: bucketCollName})); + assert.commandWorked(db.runCommand({drop: timeseriesCollName})); + db.logout(); +} + +st.stop(); +}()); |