SERVER-29448 Disallow removing the admin database in replica set mode

3 files changed, 23 insertions, 33 deletions

diff --git a/jstests/auth/user_defined_roles_on_secondaries.js b/jstests/auth/user_defined_roles_on_secondaries.js
index 1eb3566985f..c405363c575 100644
--- a/jstests/auth/user_defined_roles_on_secondaries.js
+++ b/jstests/auth/user_defined_roles_on_secondaries.js
@@ -134,14 +134,6 @@
         assertListContainsRole(role.inheritedRoles, {role: "dbAdmin", db: "db1"}, node);
     });
 
-    // Verify that dropping the admin database propagates.
-    assert.commandWorked(rstest.getPrimary().getDB("admin").dropDatabase());
-    assert.commandWorked(rstest.getPrimary().getDB("admin").getLastErrorObj(2));
-    rstest.nodes.forEach(function(node) {
-        var roles = node.getDB("db1").getRoles();
-        assert.eq(0, roles.length, node);
-    });
-
     // Verify that applyOps commands propagate.
     // NOTE: This section of the test depends on the oplog and roles schemas.
     assert.commandWorked(rstest.getPrimary().getDB("admin").runCommand({
@@ -171,15 +163,6 @@
               }
             },
             {op: "c", ns: "admin.$cmd", o: {drop: "system.roles"}},
-        ]
-    }));
-
-    // The dropDatabase command cannot be run inside an applyOps if it still has any collections
-    // (drop-pending included). See SERVER-29874.
-    assert.commandWorked(rstest.getPrimary().getDB("admin").dropDatabase());
-
-    assert.commandWorked(rstest.getPrimary().getDB("admin").runCommand({
-        applyOps: [
             {op: "c", ns: "admin.$cmd", o: {create: "system.roles"}},
             {
               op: "i",
diff --git a/jstests/replsets/drop_oplog.js b/jstests/replsets/drop_oplog.js
index ddac3904457..df89ec255ff 100644
--- a/jstests/replsets/drop_oplog.js
+++ b/jstests/replsets/drop_oplog.js
@@ -1,29 +1,35 @@
-// Test that dropping either the replset oplog or the local database is prohibited in a replset.
+// Test that dropping the replset oplog, the local database, and the admin database are all
+// prohibited in a replset.
 
 (function() {
     "use strict";
-    var rt = new ReplSetTest({name: "drop_oplog", nodes: 1, oplogSize: 30});
+    let rt = new ReplSetTest({name: "drop_oplog", nodes: 1, oplogSize: 30});
 
-    var nodes = rt.startSet();
+    let nodes = rt.startSet();
     rt.initiate();
-    var master = rt.getPrimary();
-    var ml = master.getDB('local');
+    let master = rt.getPrimary();
+    let localDB = master.getDB('local');
 
-    var threw = false;
+    let threw = false;
 
-    var ret = assert.commandFailed(ml.runCommand({drop: 'oplog.rs'}));
+    let ret = assert.commandFailed(localDB.runCommand({drop: 'oplog.rs'}));
     assert.eq('can\'t drop live oplog while replicating', ret.errmsg);
 
-    var dropOutput = ml.dropDatabase();
+    let dropOutput = localDB.dropDatabase();
     assert.eq(dropOutput.ok, 0);
     assert.eq(dropOutput.errmsg, "Cannot drop 'local' database while replication is active");
 
-    var renameOutput = ml.oplog.rs.renameCollection("poison");
+    let adminDB = master.getDB('admin');
+    dropOutput = adminDB.dropDatabase();
+    assert.eq(dropOutput.ok, 0);
+    assert.eq(dropOutput.errmsg, "Cannot drop 'admin' database while replication is active");
+
+    let renameOutput = localDB.oplog.rs.renameCollection("poison");
     assert.eq(renameOutput.ok, 0);
     assert.eq(renameOutput.errmsg, "can't rename live oplog while replicating");
 
-    assert.writeOK(ml.foo.insert({a: 1}));
-    renameOutput = ml.foo.renameCollection("oplog.rs");
+    assert.writeOK(localDB.foo.insert({a: 1}));
+    renameOutput = localDB.foo.renameCollection("oplog.rs");
     assert.eq(renameOutput.ok, 0);
     assert.eq(renameOutput.errmsg, "can't rename to live oplog while replicating");
 
diff --git a/src/mongo/db/commands/dbcommands.cpp b/src/mongo/db/commands/dbcommands.cpp
index 15851760bc5..5510cdba35f 100644
--- a/src/mongo/db/commands/dbcommands.cpp
+++ b/src/mongo/db/commands/dbcommands.cpp
@@ -181,11 +181,12 @@ public:
 
         if ((repl::getGlobalReplicationCoordinator()->getReplicationMode() !=
              repl::ReplicationCoordinator::modeNone) &&
-            (dbname == NamespaceString::kLocalDb)) {
-            return appendCommandStatus(result,
-                                       Status(ErrorCodes::IllegalOperation,
-                                              "Cannot drop 'local' database while replication "
-                                              "is active"));
+            ((dbname == NamespaceString::kLocalDb) || (dbname == NamespaceString::kAdminDb))) {
+            return appendCommandStatus(
+                result,
+                Status(ErrorCodes::IllegalOperation,
+                       str::stream() << "Cannot drop '" << dbname
+                                     << "' database while replication is active"));
         }
         BSONElement e = cmdObj.firstElement();
         int p = (int)e.number();