SERVER-70975 Exclude commands which are not allowed with security token from NTDI core passthrough (Part 2)

author: Sophia Tan <sophia_tll@hotmail.com> 2022-11-21 16:26:11 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2022-11-21 18:17:22 +0000
commit: 3b3961b638da17d54875b5cab45a01238168b0a3 (patch)
tree: b896c8837adfbf8fa488faf3df7fa818d370ea1b /jstests/core
parent: f590e944138f1e2d091926df9413f7412c9f477f (diff)
download: mongo-3b3961b638da17d54875b5cab45a01238168b0a3.tar.gz
38 files changed, 92 insertions, 6 deletions
diff --git a/jstests/core/convert_to_capped.js b/jstests/core/convert_to_capped.js
index 73694bc52d0..704e0ef0915 100644
--- a/jstests/core/convert_to_capped.js
+++ b/jstests/core/convert_to_capped.js
@@ -1,7 +1,9 @@
 /**
  * Test the convertToCapped cmd.
  *
+ * The test runs commands that are not allowed with security token: convertToCapped.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   requires_non_retryable_commands,
  *   requires_capped,
  * ]
diff --git a/jstests/core/convert_to_capped_nonexistant.js b/jstests/core/convert_to_capped_nonexistant.js
index aa584ec31a7..96844261224 100644
--- a/jstests/core/convert_to_capped_nonexistant.js
+++ b/jstests/core/convert_to_capped_nonexistant.js
@@ -2,7 +2,10 @@
  * This test ensures that ConvertToCapped()ing a nonexistent collection will not cause the server to
  * abort (SERVER-13750)
  *
+ * The test runs commands that are not allowed with security token: ConvertToCapped,
+ * convertToCapped.
  * @tags: [
+ *   not_allowed_with_security_token,
  *  requires_non_retryable_commands,
  *
  *  # capped collections is not available on embedded
diff --git a/jstests/core/count10.js b/jstests/core/count10.js
index c981e45a9b8..7f5e2957abe 100644
--- a/jstests/core/count10.js
+++ b/jstests/core/count10.js
@@ -1,6 +1,8 @@
 // Test that interrupting a count returns an error code.
 //
+// The test runs commands that are not allowed with security token: killOp.
 // @tags: [
+//   not_allowed_with_security_token,
 //   # This test attempts to perform a count command and find it using the currentOp command. The
 //   # former operation may be routed to a secondary in the replica set, whereas the latter must be
 //   # routed to the primary.
diff --git a/jstests/core/count_plan_summary.js b/jstests/core/count_plan_summary.js
index f38e6f00a11..9db379a1a0a 100644
--- a/jstests/core/count_plan_summary.js
+++ b/jstests/core/count_plan_summary.js
@@ -1,6 +1,8 @@
 // Test that the plan summary string appears in db.currentOp() for count operations. SERVER-14064.
 //
+// The test runs commands that are not allowed with security token: killOp.
 // @tags: [
+//   not_allowed_with_security_token,
 //   # This test attempts to perform a find command and find it using the currentOp command. The
 //   # former operation may be routed to a secondary in the replica set, whereas the latter must be
 //   # routed to the primary.
diff --git a/jstests/core/create_collection_fail_cleanup.js b/jstests/core/create_collection_fail_cleanup.js
index 90d636dbd3a..8e39ddf5379 100644
--- a/jstests/core/create_collection_fail_cleanup.js
+++ b/jstests/core/create_collection_fail_cleanup.js
@@ -1,6 +1,8 @@
 // Test that the server cleans up correctly when creating a collection fails.
 //
-// @tags: [requires_capped]
+// The test runs commands that are not allowed with security token: top.
+// @tags: [
+//   not_allowed_with_security_token,requires_capped]
 (function() {
 "use strict";
 
diff --git a/jstests/core/currentop.js b/jstests/core/currentop.js
index 41c2e36110f..a59cd53065a 100644
--- a/jstests/core/currentop.js
+++ b/jstests/core/currentop.js
@@ -1,7 +1,9 @@
 /**
  * Tests that long-running operations show up in currentOp and report the locks they are holding.
  *
+ * The test runs commands that are not allowed with security token: fsyncUnlock.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   assumes_superuser_permissions,
  *   # fsync command is not available on embedded
  *   incompatible_with_embedded,
diff --git a/jstests/core/currentop_shell.js b/jstests/core/currentop_shell.js
index c96ef2507f1..365e1ab3344 100644
--- a/jstests/core/currentop_shell.js
+++ b/jstests/core/currentop_shell.js
@@ -2,7 +2,9 @@
  * Tests that the shell helper db.currentOpCursor isn't constrained by the legacy currentOp server
  * command - ie. the result set isn't limited to 16MB and long operations aren't truncated.
  *
+ * The test runs commands that are not allowed with security token: getLog, killOp.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   uses_parallel_shell,
  *   # This test uses currentOp to check whether an aggregate command is running. In replica set
  *   # environments, because currentOp is run against the admin database it is routed to the
diff --git a/jstests/core/currentop_waiting_for_latch.js b/jstests/core/currentop_waiting_for_latch.js
index c8a18d57d84..b02f219fe02 100644
--- a/jstests/core/currentop_waiting_for_latch.js
+++ b/jstests/core/currentop_waiting_for_latch.js
@@ -2,7 +2,13 @@
  * Tests that a backtrace will appear in the $currentOp output if the backtrace option is
  * set to true and there is a latch timeout.
  *
- * @tags: [assumes_read_concern_unchanged, assumes_read_preference_unchanged, no_selinux]
+ * The test runs commands that are not allowed with security token: whatsmyuri.
+ * @tags: [
+ *   not_allowed_with_security_token,
+ *   assumes_read_concern_unchanged,
+ *   assumes_read_preference_unchanged,
+ *   no_selinux
+ * ]
  */
 (function() {
 "use strict";
diff --git a/jstests/core/datasize2.js b/jstests/core/datasize2.js
index a9d008e2ed1..08be0bfe12c 100644
--- a/jstests/core/datasize2.js
+++ b/jstests/core/datasize2.js
@@ -1,6 +1,8 @@
 // Cannot implicitly shard accessed collections because the "dataSize" command returns an
 // "keyPattern must equal shard key" error response.
-// @tags: [assumes_unsharded_collection, no_selinux]
+// The test runs commands that are not allowed with security token: dataSize.
+// @tags: [
+//   not_allowed_with_security_token,assumes_unsharded_collection, no_selinux]
 //
 // Test dataSize command, when called on the same or different database
 // than the collection being queried.
diff --git a/jstests/core/datasize_validation.js b/jstests/core/datasize_validation.js
index f4e55106166..e7d62c4287b 100644
--- a/jstests/core/datasize_validation.js
+++ b/jstests/core/datasize_validation.js
@@ -1,6 +1,8 @@
 // Cannot implicitly shard accessed collections because the "dataSize" command returns an
 // "keyPattern must equal shard key" error response.
-// @tags: [assumes_unsharded_collection, requires_fcv_53]
+// The test runs commands that are not allowed with security token: dataSize.
+// @tags: [
+//   not_allowed_with_security_token,assumes_unsharded_collection, requires_fcv_53]
 
 //
 // Test argument validation for dataSize command
diff --git a/jstests/core/dbhash.js b/jstests/core/dbhash.js
index 47143e7d9b4..09de8326056 100644
--- a/jstests/core/dbhash.js
+++ b/jstests/core/dbhash.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: dbhash.
 // @tags: [
+//   not_allowed_with_security_token,
 //     # dbhash command is not available on embedded
 //     incompatible_with_embedded,
 // ]
diff --git a/jstests/core/dbhash2.js b/jstests/core/dbhash2.js
index f62025b382e..4842d209515 100644
--- a/jstests/core/dbhash2.js
+++ b/jstests/core/dbhash2.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: dbhash.
 // @tags: [
+//   not_allowed_with_security_token,
 //   assumes_superuser_permissions,
 //   # dbhash command is not available on embedded
 //   incompatible_with_embedded,
diff --git a/jstests/core/diagdata.js b/jstests/core/diagdata.js
index 15b47b591f4..6e76f193288 100644
--- a/jstests/core/diagdata.js
+++ b/jstests/core/diagdata.js
@@ -1,7 +1,10 @@
 /*
  * Test that verifies getDiagnosticData returns FTDC data
  *
+ * The test runs commands that are not allowed with security token: getDiagnosticData,
+ * getDiagnosticData.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # getDiagnosticData command is not available on embedded
  *   incompatible_with_embedded,
  *   # getDiagnosticData is not supported on mongos
diff --git a/jstests/core/disallow_query_wrapped_cmd_format.js b/jstests/core/disallow_query_wrapped_cmd_format.js
index 5da96528fa9..c98db1dd8f6 100644
--- a/jstests/core/disallow_query_wrapped_cmd_format.js
+++ b/jstests/core/disallow_query_wrapped_cmd_format.js
@@ -1,8 +1,10 @@
 /**
  * Test that the "wrapped" command format using {$query: <cmd>} fails cleanly.
  *
+ * The test runs commands that are not allowed with security token: query.
  * @tags: [
  *    requires_fcv_63,
+ *    not_allowed_with_security_token,
  * ]
  */
 (function() {
diff --git a/jstests/core/doc_validation_invalid_validators.js b/jstests/core/doc_validation_invalid_validators.js
index b816100b0a2..3bb7d41f926 100644
--- a/jstests/core/doc_validation_invalid_validators.js
+++ b/jstests/core/doc_validation_invalid_validators.js
@@ -1,6 +1,8 @@
 // Cannot implicitly shard accessed collections because of collection existing when none
 // expected.
+// The test runs commands that are not allowed with security token: eval.
 // @tags: [
+//   not_allowed_with_security_token,
 //   assumes_no_implicit_collection_creation_after_drop,
 //   requires_non_retryable_commands,
 // ]
diff --git a/jstests/core/drop_collection.js b/jstests/core/drop_collection.js
index 2d44ca0379f..3dd4bafbe1b 100644
--- a/jstests/core/drop_collection.js
+++ b/jstests/core/drop_collection.js
@@ -1,7 +1,8 @@
 /**
  * Basic test for the drop collection command
- *
+ * The test runs commands that are not allowed with security token: isbdgrid.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # Cannot implicitly shard accessed collections because of collection
  *   # existing when none expected.
  *   assumes_no_implicit_collection_creation_after_drop,
diff --git a/jstests/core/explain_find_and_modify.js b/jstests/core/explain_find_and_modify.js
index 6a6d13221e1..5809c94ce55 100644
--- a/jstests/core/explain_find_and_modify.js
+++ b/jstests/core/explain_find_and_modify.js
@@ -1,6 +1,8 @@
 // Cannot implicitly shard accessed collections because of collection existing when none
 // expected.
+// The test runs commands that are not allowed with security token: isbdgrid.
 // @tags: [
+//   not_allowed_with_security_token,
 //   assumes_no_implicit_collection_creation_after_drop,
 // ]
 
diff --git a/jstests/core/expr.js b/jstests/core/expr.js
index 16d6e99780d..0e30b4584ca 100644
--- a/jstests/core/expr.js
+++ b/jstests/core/expr.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: mapReduce.
 // @tags: [
+//   not_allowed_with_security_token,
 //   does_not_support_stepdowns,
 //   requires_getmore,
 //   requires_non_retryable_writes,
diff --git a/jstests/core/failcommand_failpoint.js b/jstests/core/failcommand_failpoint.js
index b13f758008d..4eee98dcb9a 100644
--- a/jstests/core/failcommand_failpoint.js
+++ b/jstests/core/failcommand_failpoint.js
@@ -1,6 +1,8 @@
 /**
  * Tests the "failCommand" failpoint.
+ * The test runs commands that are not allowed with security token: whatsmyuri.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   assumes_read_concern_unchanged,
  *   assumes_read_preference_unchanged,
  *   no_selinux,
diff --git a/jstests/core/fsync.js b/jstests/core/fsync.js
index ee66fcb313f..4369f1a81ab 100644
--- a/jstests/core/fsync.js
+++ b/jstests/core/fsync.js
@@ -6,7 +6,9 @@
  * - Confirm that writes can progress after fsyncUnlock
  * - Confirm that the command can be run repeatedly without breaking things
  *
+ * The test runs commands that are not allowed with security token: fsync, fsyncUnlock.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   requires_fastcount,
  *   requires_fsync,
  *   uses_parallel_shell,
diff --git a/jstests/core/function_string_representations.js b/jstests/core/function_string_representations.js
index 9d79bb9c8d4..283a785238d 100644
--- a/jstests/core/function_string_representations.js
+++ b/jstests/core/function_string_representations.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: mapReduce.
 // @tags: [
+//   not_allowed_with_security_token,
 //   does_not_support_stepdowns,
 //   uses_map_reduce_with_temp_collections,
 // ]
diff --git a/jstests/core/geo_big_polygon3.js b/jstests/core/geo_big_polygon3.js
index 3f47a6b91eb..c0b4a7e9012 100644
--- a/jstests/core/geo_big_polygon3.js
+++ b/jstests/core/geo_big_polygon3.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: mapReduce.
 // @tags: [
+//   not_allowed_with_security_token,
 //   does_not_support_stepdowns,
 //   requires_fastcount,
 //   requires_multi_updates,
diff --git a/jstests/core/geo_s2cursorlimitskip.js b/jstests/core/geo_s2cursorlimitskip.js
index cafee153af5..7a2aa2f5782 100644
--- a/jstests/core/geo_s2cursorlimitskip.js
+++ b/jstests/core/geo_s2cursorlimitskip.js
@@ -1,6 +1,8 @@
 // Test various cursor behaviors
 //
+// The test runs commands that are not allowed with security token: profile, setProfilingLevel.
 // @tags: [
+//   not_allowed_with_security_token,
 //   # This test attempts to enable profiling on a server and then get profiling data by reading
 //   # nodes the "system.profile" collection. The former operation must be routed to the primary in
 //   # a replica set, whereas the latter may be routed to a secondary.
diff --git a/jstests/core/geo_update_btree2.js b/jstests/core/geo_update_btree2.js
index 962d8b524f4..9f1f59fc162 100644
--- a/jstests/core/geo_update_btree2.js
+++ b/jstests/core/geo_update_btree2.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: setParameter.
 // @tags: [
+//   not_allowed_with_security_token,
 //   assumes_superuser_permissions,
 //   does_not_support_stepdowns,
 //   requires_getmore,
diff --git a/jstests/core/getlog1.js b/jstests/core/getlog1.js
index d55e68740dd..a5989e87c75 100644
--- a/jstests/core/getlog1.js
+++ b/jstests/core/getlog1.js
@@ -1,4 +1,6 @@
-// @tags: [does_not_support_stepdowns]
+// The test runs commands that are not allowed with security token: getLog.
+// @tags: [
+//   not_allowed_with_security_token,does_not_support_stepdowns]
 
 // to run:
 //   ./mongo jstests/<this-file>
diff --git a/jstests/core/getlog2.js b/jstests/core/getlog2.js
index e6c8556069b..765814aa062 100644
--- a/jstests/core/getlog2.js
+++ b/jstests/core/getlog2.js
@@ -1,6 +1,8 @@
 // tests getlog as well as slow querying logging
 //
+// The test runs commands that are not allowed with security token: getLog.
 // @tags: [
+//   not_allowed_with_security_token,
 //   # This test attempts to perform a find command and see that it ran using the getLog command.
 //   # The former operation may be routed to a secondary in the replica set, whereas the latter must
 //   # be routed to the primary.
diff --git a/jstests/core/getmore_invalidated_cursors.js b/jstests/core/getmore_invalidated_cursors.js
index a7f8a9936d5..4eca5fb297c 100644
--- a/jstests/core/getmore_invalidated_cursors.js
+++ b/jstests/core/getmore_invalidated_cursors.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: killCursors.
 // @tags: [
+//   not_allowed_with_security_token,
 //   assumes_balancer_off,
 //   requires_collstats,
 //   requires_getmore,
diff --git a/jstests/core/hash.js b/jstests/core/hash.js
index ab522564cfb..3b0367080cc 100644
--- a/jstests/core/hash.js
+++ b/jstests/core/hash.js
@@ -4,7 +4,9 @@
  * time or across architectures. This is a good place to put tests for any edge cases in the hash
  * function that might be prone to change because of code changes or because of differences between
  * architectures.
+ * The test runs commands that are not allowed with security token: _hashBSONElement.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   no_selinux,
  * ]
  */
diff --git a/jstests/core/hostinfo.js b/jstests/core/hostinfo.js
index 04f341a659d..0c5ed858f49 100644
--- a/jstests/core/hostinfo.js
+++ b/jstests/core/hostinfo.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: hostInfo.
 // @tags: [
+//   not_allowed_with_security_token,
 //     # `hostInfo` command is not available on embedded
 //     incompatible_with_embedded,
 // ]
diff --git a/jstests/core/illegal_cmd_namespace.js b/jstests/core/illegal_cmd_namespace.js
index 3dc26c4e67a..f3075337abe 100644
--- a/jstests/core/illegal_cmd_namespace.js
+++ b/jstests/core/illegal_cmd_namespace.js
@@ -2,7 +2,9 @@
  * Test that an attempt to run a query over a $cmd namespace is not treated specially by the shell,
  * but is rejected by the server.
  *
+ * The test runs commands that are not allowed with security token: killop.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   assumes_unsharded_collection,
  * ]
  */
diff --git a/jstests/core/index8.js b/jstests/core/index8.js
index f070e6604bd..3887906dddc 100644
--- a/jstests/core/index8.js
+++ b/jstests/core/index8.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: reIndex.
 // @tags: [
+//   not_allowed_with_security_token,
 //     # Asserts on the output of listIndexes.
 //     assumes_no_implicit_index_creation,
 //     # Cannot implicitly shard accessed collections because of not being able to create unique
diff --git a/jstests/core/index_filter_catalog_independent.js b/jstests/core/index_filter_catalog_independent.js
index 48889c7e414..2c244fdb070 100644
--- a/jstests/core/index_filter_catalog_independent.js
+++ b/jstests/core/index_filter_catalog_independent.js
@@ -2,7 +2,10 @@
  * Test that index filters are applied regardless of catalog changes. Intended to reproduce
  * SERVER-33303.
  *
+ * The test runs commands that are not allowed with security token: planCacheListFilters,
+ * planCacheSetFilter.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # This test performs queries with index filters set up. Since index filters are local to a
  *   # mongod, and do not replicate, this test must issue all of its commands against the same node.
  *   assumes_read_preference_unchanged,
diff --git a/jstests/core/index_filter_collation.js b/jstests/core/index_filter_collation.js
index 917b6679563..b1b3edaa3d0 100644
--- a/jstests/core/index_filter_collation.js
+++ b/jstests/core/index_filter_collation.js
@@ -1,6 +1,9 @@
 /**
  * Test that index filters are applied with the correct collation.
+ * The test runs commands that are not allowed with security token: planCacheListFilters,
+ * planCacheSetFilter.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # Needs to create a collection with a collation.
  *   assumes_no_implicit_collection_creation_after_drop,
  *   # This test attempts to perform queries with plan cache filters set up. The former operation
diff --git a/jstests/core/index_filter_commands.js b/jstests/core/index_filter_commands.js
index 68cf83166a5..1272cb2fd19 100644
--- a/jstests/core/index_filter_commands.js
+++ b/jstests/core/index_filter_commands.js
@@ -19,7 +19,10 @@
  * using the $planCacheStats aggregation metadata source on the same query shape with the index
  * filters.
  *
+ * The test runs commands that are not allowed with security token: planCacheClearFilters,
+ * planCacheListFilters, planCacheSetFilter.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # Cannot implicitly shard accessed collections because of collection existing when none
  *   # expected.
  *   assumes_no_implicit_collection_creation_after_drop,
diff --git a/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js b/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js
index 9fd0cae1889..059241284ac 100644
--- a/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js
+++ b/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js
@@ -1,7 +1,10 @@
 /**
  * Test that index filter commands (planCacheSetFilter, planCacheClearFilters) invalidate the
  * corresponding plan cache entries.
+ * The test runs commands that are not allowed with security token: planCacheClearFilters,
+ * planCacheSetFilter.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # This test attempts to perform queries with plan cache filters set up. The index filter
  *   # commands and the queries to which those index filters apply could be routed to different
  *   # nodes.
diff --git a/jstests/core/index_filter_on_hidden_index.js b/jstests/core/index_filter_on_hidden_index.js
index 9dcb98a0986..770802b8b3e 100644
--- a/jstests/core/index_filter_on_hidden_index.js
+++ b/jstests/core/index_filter_on_hidden_index.js
@@ -9,7 +9,10 @@
  * - It is legal to set an index filter on a hidden index, but the index will not actually be
  *   used until it is made visible.
  *
+ * The test runs commands that are not allowed with security token: planCacheListFilters,
+ * planCacheSetFilter.
  * @tags: [
+ *   not_allowed_with_security_token,
  *   # Command 'planCacheSetFilter' may return different values after a failover.
  *   does_not_support_stepdowns,
  *   # In some scenarios this test asserts that a collection scan is the chosen plan.
diff --git a/jstests/core/index_stats.js b/jstests/core/index_stats.js
index 3c8c98764a3..8561cbd2029 100644
--- a/jstests/core/index_stats.js
+++ b/jstests/core/index_stats.js
@@ -1,4 +1,6 @@
+// The test runs commands that are not allowed with security token: mapReduce.
 // @tags: [
+//   not_allowed_with_security_token,
 //   # This test attempts to perform write operations and get index usage statistics using the
 //   # $indexStats stage. The former operation must be routed to the primary in a replica set,
 //   # whereas the latter may be routed to a secondary.
diff --git a/jstests/core/js_object_properties.js b/jstests/core/js_object_properties.js
index 8c42fb5b208..fb4313cc0ea 100644
--- a/jstests/core/js_object_properties.js
+++ b/jstests/core/js_object_properties.js
@@ -1,6 +1,8 @@
 // Tests that the properties available on the 'this' object during js execution are only those found
 // in the database's BSON object.
+// The test runs commands that are not allowed with security token: mapReduce.
 // @tags: [
+//   not_allowed_with_security_token,
 //   # mapReduce does not support afterClusterTime.
 //   does_not_support_causal_consistency,
 // ]
author	Sophia Tan <sophia_tll@hotmail.com>	2022-11-21 16:26:11 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2022-11-21 18:17:22 +0000
commit	3b3961b638da17d54875b5cab45a01238168b0a3 (patch)
tree	b896c8837adfbf8fa488faf3df7fa818d370ea1b /jstests/core
parent	f590e944138f1e2d091926df9413f7412c9f477f (diff)
download	mongo-3b3961b638da17d54875b5cab45a01238168b0a3.tar.gz