SERVER-21146 restrict splitChunk, moveChunk, mergeChunks on mongod to internal user only

author: Misha Tyulenev <misha@mongodb.com> 2015-11-03 18:07:01 -0500
committer: Misha Tyulenev <misha@mongodb.com> 2015-11-03 18:07:33 -0500
commit: 730e2cfca84134d1564fb80d851a42cc17ebcdb3 (patch)
tree: d8a1bf5ed68d16a7406df384d299b022c37a4d18 /jstests/auth/lib
parent: a396bcd73c6e07c93f3336139ce9c074cc6721b1 (diff)
download: mongo-730e2cfca84134d1564fb80d851a42cc17ebcdb3.tar.gz
1 files changed, 39 insertions, 4 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index 7b8f82b1c92..8f427c680c5 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -1817,7 +1817,7 @@ var authCommandsLib = {
             ]
         },
         {
-            testname: "mergeChunks",
+            testname: "s_mergeChunks",
             command: {mergeChunks: "test.x", bounds: [{i : 0}, {i : 5}]},
             skipStandalone: true,
             testcases: [
@@ -1834,8 +1834,26 @@ var authCommandsLib = {
             ]
         },
         {
-            testname: "moveChunk",
+            testname: "d_mergeChunks",
+            command: {mergeChunks: "test.x", bounds: [{i : 0}, {i : 5}]},
+            skipSharded: true,
+            testcases: [
+                {
+                    runOnDb: adminDbName,
+                    roles: { __system: 1 },
+                    privileges: [
+                        { resource: {cluster: true}, actions: ["internal"] }
+                    ],
+                    expectFail: true
+                },
+                { runOnDb: firstDbName, roles: {} },
+                { runOnDb: secondDbName, roles: {} }
+            ]
+        },
+        {
+            testname: "s_moveChunk",
             command: {moveChunk: "test.x"},
+            skipStandalone: true,
             testcases: [
                 {
                     runOnDb: adminDbName,
@@ -1850,6 +1868,23 @@ var authCommandsLib = {
             ]
         },
         {
+            testname: "d_moveChunk",
+            command: {moveChunk: "test.x"},
+            skipSharded: true,
+            testcases: [
+                {
+                    runOnDb: adminDbName,
+                    roles: { __system: 1 },
+                    privileges: [
+                        { resource: {cluster: true}, actions: ["internal"] }
+                    ],
+                    expectFail: true
+                },
+                { runOnDb: firstDbName, roles: {} },
+                { runOnDb: secondDbName, roles: {} }
+            ]
+        },
+        {
             testname: "movePrimary",
             command: {movePrimary: "x"},
             skipStandalone: true,
@@ -2555,9 +2590,9 @@ var authCommandsLib = {
             testcases: [
                 {
                     runOnDb: adminDbName,
-                    roles: roles_clusterManager,
+                    roles: { __system: 1 },
                     privileges: [
-                        { resource: {db: "test", collection: "x"}, actions: ["splitChunk"] }
+                        { resource: {cluster: true}, actions: ["internal"] }
                     ],
                     expectFail: true
                 },
author	Misha Tyulenev <misha@mongodb.com>	2015-11-03 18:07:01 -0500
committer	Misha Tyulenev <misha@mongodb.com>	2015-11-03 18:07:33 -0500
commit	730e2cfca84134d1564fb80d851a42cc17ebcdb3 (patch)
tree	d8a1bf5ed68d16a7406df384d299b022c37a4d18 /jstests/auth/lib
parent	a396bcd73c6e07c93f3336139ce9c074cc6721b1 (diff)
download	mongo-730e2cfca84134d1564fb80d851a42cc17ebcdb3.tar.gz