SERVER-6823 Enable Access control without downtime.

Add --tryClusterAuth flag that enables communicatation between nodes running
with and without auth.

2 files changed, 96 insertions, 2 deletions

diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js
index 5fab2f1f030..8067076610e 100644
--- a/jstests/ssl/libs/ssl_helpers.js
+++ b/jstests/ssl/libs/ssl_helpers.js
@@ -57,21 +57,70 @@ var replShouldFail = function(name, opt1, opt2) {
 };
 
 /**
+ * Test that $lookup works with a sharded source collection. This is tested because of
+ * the connections opened between mongos/shards and between the shards themselves.
+ */
+function testShardedLookup(shardingTest) {
+    var st = shardingTest;
+    assert(st.adminCommand({enableSharding: "lookupTest"}),
+           "error enabling sharding for this configuration");
+    assert(st.adminCommand({shardCollection: "lookupTest.foo", key: {_id: "hashed"}}),
+           "error sharding collection for this configuration");
+
+    var lookupdb = st.getDB("lookupTest");
+
+    // insert a few docs to ensure there are documents on multiple shards.
+    var fooBulk = lookupdb.foo.initializeUnorderedBulkOp();
+    var barBulk = lookupdb.bar.initializeUnorderedBulkOp();
+    var lookupShouldReturn = [];
+    for (var i = 0; i < 64; i++) {
+        fooBulk.insert({_id: i});
+        barBulk.insert({_id: i});
+        lookupShouldReturn.push({_id: i, bar_docs: [{_id: i}]});
+    }
+    assert.writeOK(fooBulk.execute());
+    assert.writeOK(barBulk.execute());
+
+    var docs = lookupdb.foo.aggregate([
+        {$sort: {_id: 1}},
+        {$lookup: {from: "bar", localField: "_id", foreignField: "_id", as: "bar_docs"}}
+    ]).toArray();
+    assert.eq(lookupShouldReturn, docs, "error $lookup failed in this configuration");
+    assert.commandWorked(lookupdb.dropDatabase());
+}
+
+/**
  * Takes in two mongod/mongos configuration options and runs a basic
  * sharding test to see if they can work together...
  */
 function mixedShardTest(options1, options2, shouldSucceed) {
     try {
-        var st = new ShardingTest(
-            {mongos: [options1], config: [options1], shards: [options1, options2]});
+        // Start ShardingTest with enableBalancer because ShardingTest attempts to turn
+        // off the balancer otherwise, which it will not be authorized to do if auth is enabled.
+        // Once SERVER-14017 is fixed the "enableBalancer" line can be removed.
+        var st = new ShardingTest({
+            mongos: [options1],
+            config: [options1],
+            shards: [options1, options2],
+            other: {enableBalancer: true}
+        });
+
+        // Create admin user in case the options include auth
+        st.admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root']});
+        st.admin.auth('admin', 'pwd');
+
         st.stopBalancer();
 
+        // Test that $lookup works because it causes outgoing connections to be opened
+        testShardedLookup(st);
+
         // Test mongos talking to config servers
         var r = st.adminCommand({enableSharding: "test"});
         assert.eq(r, true, "error enabling sharding for this configuration");
 
         st.ensurePrimaryShard("test", "shard0000");
         r = st.adminCommand({movePrimary: 'test', to: 'shard0001'});
+        assert.eq(r, true, "error movePrimary failed for this configuration");
 
         var db1 = st.getDB("test");
         r = st.adminCommand({shardCollection: "test.col", key: {_id: 1}});
diff --git a/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js b/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js
new file mode 100644
index 00000000000..d4047b67173
--- /dev/null
+++ b/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js
@@ -0,0 +1,45 @@
+/**
+ * This test checks the upgrade path from noauth/allowSSL to x509/requireSSL
+ */
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+(function() {
+    'use strict';
+
+    // Disable auth explicitly
+    var noAuthAllowSSL = Object.merge(allowSSL, {noauth: ''});
+
+    // Undefine the flags we're replacing, otherwise upgradeSet will keep old values.
+    var tryX509preferSSL =
+        Object.merge(preferSSL, {noauth: undefined, tryClusterAuth: '', clusterAuthMode: 'x509'});
+    var x509RequireSSL =
+        Object.merge(requireSSL, {tryClusterAuth: undefined, clusterAuthMode: 'x509'});
+
+    var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuthAllowSSL});
+    rst.startSet();
+    rst.initiate();
+
+    var rstConn1 = rst.getPrimary();
+    // Create a user to login when auth is enabled later
+    rstConn1.getDB('admin').createUser({user: 'root', pwd: 'root', roles: ['root']});
+
+    rstConn1.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'});
+    assert.eq(1, rstConn1.getDB('test').a.count(), 'Error interacting with replSet');
+
+    print('=== UPGRADE no-auth/allowSSL -> try X509/preferSSL ===');
+    rst.upgradeSet(tryX509preferSSL);
+    var rstConn2 = rst.getPrimary();
+    rstConn2.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'});
+    assert.eq(2, rstConn2.getDB('test').a.count(), 'Error interacting with replSet');
+
+    print('=== UPGRADE try X509/preferSSL -> X509/requireSSL ===');
+    rst.upgradeSet(x509RequireSSL, 'root', 'root');
+
+    // upgradeSet leaves its connections logged in as root
+    var rstConn3 = rst.getPrimary();
+    rstConn3.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'});
+    assert.eq(3, rstConn3.getDB('test').a.count(), 'Error interacting with replSet');
+
+    rst.stopSet();
+}());