SERVER-52955 KeysCollectionClientDirect should check if majority read concern is supported by storage engine

3 files changed, 72 insertions, 1 deletions

diff --git a/buildscripts/resmokeconfig/suites/multiversion_auth.yml b/buildscripts/resmokeconfig/suites/multiversion_auth.yml
index 58421d804af..f3640884d0d 100644
--- a/buildscripts/resmokeconfig/suites/multiversion_auth.yml
+++ b/buildscripts/resmokeconfig/suites/multiversion_auth.yml
@@ -19,6 +19,8 @@ selector:
   # TODO: SERVER-30161
   - jstests/multiVersion/dumprestore.js
   - jstests/multiVersion/dumprestore_sharded.js
+  # Skip any tests that run with auth explicitly.
+  - jstests/multiVersion/load_keys_on_upgrade.js
 
 # Multiversion tests start their own mongod's.
 executor:
diff --git a/jstests/multiVersion/load_keys_on_upgrade.js b/jstests/multiVersion/load_keys_on_upgrade.js
new file mode 100644
index 00000000000..f4b6707b53b
--- /dev/null
+++ b/jstests/multiVersion/load_keys_on_upgrade.js
@@ -0,0 +1,68 @@
+//
+// Tests to validate that correct read concern is used to load clusterTime signing keys from
+// admin.system.keys on upgrade.
+//
+
+load('./jstests/multiVersion/libs/multi_rs.js');
+
+var oldVersion = "last-stable";
+
+var nodes = {
+    n1: {binVersion: oldVersion},
+    n2: {binVersion: oldVersion},
+    n3: {binVersion: oldVersion}
+};
+
+function authAllNodes(rst) {
+    for (let node of rst.nodes) {
+        assert.eq(1, node.getDB("admin").auth("root", "root"));
+    }
+}
+
+var keyFile = "jstests/libs/key1";
+var rst = new ReplSetTest({nodes: nodes, waitForKeys: false, nodeOptions: {keyFile: keyFile}});
+
+rst.startSet();
+
+rst.initiateWithAnyNodeAsPrimary(
+    Object.extend(rst.getReplSetConfig(), {writeConcernMajorityJournalDefault: true}));
+
+// Wait for a primary node...
+var primary = rst.getPrimary();
+
+primary.getDB("admin").createUser({user: "root", pwd: "root", roles: ["root"]}, {w: 3});
+
+authAllNodes(rst);
+primary.getDB("admin").createRole({
+    role: "systemkeys",
+    privileges: [{resource: {db: "admin", collection: "system.keys"}, actions: ["find"]}],
+    roles: []
+},
+                                  {w: 3});
+primary.getDB("admin").grantRolesToUser("root", ["systemkeys"], {w: 3});
+
+assert.soonNoExcept(function(timeout) {
+    var keyCnt = primary.getCollection('admin.system.keys').find({purpose: 'HMAC'}).itcount();
+    return keyCnt >= 2;
+}, "Awaiting keys", 5 * 1000);
+
+var rsConn = new Mongo(rst.getURL());
+assert.eq(1, rsConn.getDB("admin").auth("root", "root"));
+assert.commandWorked(rsConn.adminCommand({isMaster: 1}));
+print("clusterTime: " + tojson(rsConn.getDB("admin").getSession().getClusterTime()));
+
+jsTest.log("Upgrading replica set...");
+
+rst.upgradeSet({keyFile: keyFile, binVersion: "latest"}, "root", "root");
+
+jsTest.log("Replica set upgraded.");
+
+try {
+    rsConn.adminCommand({isMaster: 1});
+} catch (e) {
+}
+assert.eq(1, rsConn.getDB("admin").auth("root", "root"));
+assert.commandWorked(rsConn.adminCommand({isMaster: 1}));
+print("clusterTime2: " + tojson(rsConn.getDB("admin").getSession().getClusterTime()));
+
+rst.stopSet();
\ No newline at end of file
diff --git a/src/mongo/db/keys_collection_client_direct.cpp b/src/mongo/db/keys_collection_client_direct.cpp
index 0eaf90ce7a9..443deb1dd1b 100644
--- a/src/mongo/db/keys_collection_client_direct.cpp
+++ b/src/mongo/db/keys_collection_client_direct.cpp
@@ -85,7 +85,8 @@ StatusWith<std::vector<KeysCollectionDocument>> KeysCollectionClientDirect::getN
     queryBuilder.append("purpose", purpose);
     queryBuilder.append("expiresAt", BSON("$gt" << newerThanThis.asTimestamp()));
 
-    auto readConcern = serverGlobalParams.enableMajorityReadConcern && useMajority
+    auto storageEngine = opCtx->getServiceContext()->getStorageEngine();
+    auto readConcern = storageEngine->supportsReadConcernMajority() && useMajority
         ? repl::ReadConcernLevel::kMajorityReadConcern
         : repl::ReadConcernLevel::kLocalReadConcern;