diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2020-11-13 13:29:18 -0500 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-01-11 22:44:14 +0000 |
commit | c4e02cfb947578316e661b97ef2342b81629d1f0 (patch) | |
tree | 83fb4c2c9552aaec44e8e9ed9e9b39f537037476 | |
parent | e02ce7d7fad15b9d40dd79d6002ddb53fbbe74d3 (diff) | |
download | mongo-c4e02cfb947578316e661b97ef2342b81629d1f0.tar.gz |
SERVER-48516 Verify at startup replica set with auth has a keyFile
(cherry picked from commit c38ec5727899cd563791d5ea4ec054cf6322498c)
-rw-r--r-- | jstests/auth/repl_require_keyfile.js | 17 | ||||
-rw-r--r-- | jstests/noPassthrough/change_streams_required_privileges.js | 2 | ||||
-rw-r--r-- | src/mongo/db/mongod_options.cpp | 11 |
3 files changed, 29 insertions, 1 deletions
diff --git a/jstests/auth/repl_require_keyfile.js b/jstests/auth/repl_require_keyfile.js new file mode 100644 index 00000000000..fc5977a2d1d --- /dev/null +++ b/jstests/auth/repl_require_keyfile.js @@ -0,0 +1,17 @@ +// Validate that starting a replica set with auth enabled requires a keyfile +(function() { +'use strict'; + +const rsTest = new ReplSetTest({nodes: 1}); + +clearRawMongoProgramOutput(); + +assert.throws(function() { + rsTest.startSet({auth: "", oplogSize: 10}); +}); + +const mongoOutput = rawMongoProgramOutput(); +assert(mongoOutput.indexOf( + "security.keyFile is required when authorization is enabled with replica sets") >= 0, + "Expected error message about missing keyFile on startup"); +})();
\ No newline at end of file diff --git a/jstests/noPassthrough/change_streams_required_privileges.js b/jstests/noPassthrough/change_streams_required_privileges.js index 137896a3f8f..3a63dbbb797 100644 --- a/jstests/noPassthrough/change_streams_required_privileges.js +++ b/jstests/noPassthrough/change_streams_required_privileges.js @@ -16,7 +16,7 @@ rst.initiate(); const password = "test_password"; rst.getPrimary().getDB("admin").createUser( {user: "userAdmin", pwd: password, roles: [{db: "admin", role: "userAdminAnyDatabase"}]}); -rst.restart(0, {auth: ''}); +rst.restart(0, {auth: '', keyFile: 'jstests/libs/key1'}); const db = rst.getPrimary().getDB("test"); const coll = db.coll; diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp index 0957953cf05..7df722f9bd5 100644 --- a/src/mongo/db/mongod_options.cpp +++ b/src/mongo/db/mongod_options.cpp @@ -501,6 +501,17 @@ Status storeMongodOptions(const moe::Environment& params) { storageGlobalParams.allowOplogTruncation = false; } + if (!replSettings.getReplSetString().empty() && + (params.count("security.authorization") && + params["security.authorization"].as<std::string>() == "enabled") && + serverGlobalParams.clusterAuthMode.load() != ServerGlobalParams::ClusterAuthMode_x509 && + !params.count("security.keyFile")) { + return Status( + ErrorCodes::BadValue, + str::stream() + << "security.keyFile is required when authorization is enabled with replica sets"); + } + if (params.count("replication.enableMajorityReadConcern")) { serverGlobalParams.enableMajorityReadConcern = params["replication.enableMajorityReadConcern"].as<bool>(); |