diff options
author | Merry Mou <merry.mou@mongodb.com> | 2015-08-20 11:41:54 -0400 |
---|---|---|
committer | Merry Mou <merry.mou@mongodb.com> | 2015-08-21 16:06:42 -0400 |
commit | 0c695aa1e879af482dc3aea4768dbda223ff4592 (patch) | |
tree | d7bbb6da6c5ce72152a3378603132812e1d00401 /jstests/tool/dumprestore_auth2.js | |
parent | 024c4e0e10223d5d4156f748f567b992e29aaab0 (diff) | |
download | mongo-0c695aa1e879af482dc3aea4768dbda223ff4592.tar.gz |
SERVER-13647 give restore privileges to root
Diffstat (limited to 'jstests/tool/dumprestore_auth2.js')
-rw-r--r-- | jstests/tool/dumprestore_auth2.js | 208 |
1 files changed, 114 insertions, 94 deletions
diff --git a/jstests/tool/dumprestore_auth2.js b/jstests/tool/dumprestore_auth2.js index fcc912f06db..85f73ee442a 100644 --- a/jstests/tool/dumprestore_auth2.js +++ b/jstests/tool/dumprestore_auth2.js @@ -2,97 +2,117 @@ // Tests that mongodump and mongorestore properly handle access control information // Tests that the default auth roles of backup and restore work properly. -t = new ToolTest("dumprestore_auth2", {auth: ""}); - -coll = t.startDB("foo"); -admindb = coll.getDB().getSiblingDB("admin") - -// Create the relevant users and roles. -admindb.createUser({user: "root", pwd: "pass", roles: ["root"]}); -admindb.auth("root", "pass"); - -admindb.createUser({user: "backup", pwd: "pass", roles: ["backup"]}); -admindb.createUser({user: "restore", pwd: "pass", roles: ["restore"]}); - -admindb.createRole({role: "customRole", - privileges:[{resource: {db: "jstests_tool_dumprestore_auth2", - collection: "foo"}, - actions: ["find"]}], - roles:[]}); -admindb.createUser({user: "test", pwd: "pass", roles: ["customRole"]}); - -coll.insert({word: "tomato"}); -assert.eq(1, coll.count()); - -assert.eq(4, admindb.system.users.count(), "setup users") -assert.eq(2, admindb.system.users.getIndexes().length, - "setup2: " + tojson( admindb.system.users.getIndexes() ) ); -assert.eq(1, admindb.system.roles.count(), "setup3") -assert.eq(2, admindb.system.roles.getIndexes().length, "setup4") -assert.eq(1, admindb.system.version.count()); -var versionDoc = admindb.system.version.findOne(); - -// Logout root user. -admindb.logout(); - -// Verify that the custom role works as expected. -admindb.auth("test", "pass"); -assert.eq("tomato", coll.findOne().word); -admindb.logout(); - -// Dump the database. -t.runTool("dump", "--out", t.ext, "--username", "backup", "--password", "pass"); - -// Drop the relevant data in the database. -admindb.auth("root", "pass"); -coll.getDB().dropDatabase(); -admindb.dropUser("backup"); -admindb.dropUser("test"); -admindb.dropRole("customRole"); - -assert.eq(2, admindb.system.users.count(), "didn't drop backup and test users"); -assert.eq(0, admindb.system.roles.count(), "didn't drop roles"); -assert.eq(0, coll.count(), "didn't drop foo coll"); - -// This test depends on W=0 to mask unique index violations. -// This should be fixed once we implement TOOLS-341 -t.runTool("restore", "--dir", t.ext, "--username", "restore", "--password", "pass", "--writeConcern", "0"); - -assert.soon("admindb.system.users.findOne()", "no data after restore"); -assert.eq(4, admindb.system.users.count(), "didn't restore users"); -assert.eq(2, admindb.system.users.getIndexes().length, - "didn't restore user indexes"); -assert.eq(1, admindb.system.roles.find({role:'customRole'}).count(), "didn't restore roles"); -assert.eq(2, admindb.system.roles.getIndexes().length, - "didn't restore role indexes"); - -admindb.logout(); - -// Login as user with customRole to verify privileges are restored. -admindb.auth("test", "pass"); -assert.eq("tomato", coll.findOne().word); -admindb.logout(); - -admindb.auth("root", "pass"); -admindb.createUser({user: "root2", pwd: "pass", roles: ["root"]}); -admindb.dropRole("customRole"); -admindb.createRole({role: "customRole2", roles: [], privileges:[]}); -admindb.dropUser("root"); -admindb.logout(); - -t.runTool("restore", "--dir", t.ext, "--username", "restore", "--password", "pass", "--drop", "--writeConcern", "0"); - -admindb.auth("root", "pass"); -assert.soon("1 == admindb.system.users.find({user:'root'}).count()", "didn't restore users 2"); -assert.eq(0, admindb.system.users.find({user:'root2'}).count(), "didn't drop users"); -assert.eq(0, admindb.system.roles.find({role:'customRole2'}).count(), "didn't drop roles"); -assert.eq(1, admindb.system.roles.find({role:'customRole'}).count(), "didn't restore roles"); -assert.eq(2, admindb.system.users.getIndexes().length, - "didn't maintain user indexes"); -assert.eq(2, admindb.system.roles.getIndexes().length, - "didn't maintain role indexes"); -assert.eq(1, admindb.system.version.count(), "didn't restore version"); -assert.docEq(versionDoc, admindb.system.version.findOne(), "version doc wasn't restored properly"); -admindb.logout(); - -t.stop(); +var dumpRestoreAuth2 = function(backup_role, restore_role) { + + t = new ToolTest("dumprestore_auth2", {auth: ""}); + + coll = t.startDB("foo"); + admindb = coll.getDB().getSiblingDB("admin") + + // Create the relevant users and roles. + admindb.createUser({user: "root", pwd: "pass", roles: ["root"]}); + admindb.auth("root", "pass"); + + admindb.createUser({user: "backup", pwd: "pass", roles: [backup_role]}); + admindb.createUser({user: "restore", pwd: "pass", roles: [restore_role]}); + + admindb.createRole({role: "customRole", + privileges:[{resource: {db: "jstests_tool_dumprestore_auth2", + collection: "foo"}, + actions: ["find"]}], + roles:[]}); + admindb.createUser({user: "test", pwd: "pass", roles: ["customRole"]}); + + coll.insert({word: "tomato"}); + assert.eq(1, coll.count()); + + assert.eq(4, admindb.system.users.count(), "setup users") + assert.eq(2, admindb.system.users.getIndexes().length, + "setup2: " + tojson( admindb.system.users.getIndexes() ) ); + assert.eq(1, admindb.system.roles.count(), "setup3") + assert.eq(2, admindb.system.roles.getIndexes().length, "setup4") + assert.eq(1, admindb.system.version.count()); + var versionDoc = admindb.system.version.findOne(); + + // Logout root user. + admindb.logout(); + + // Verify that the custom role works as expected. + admindb.auth("test", "pass"); + assert.eq("tomato", coll.findOne().word); + admindb.logout(); + + // Dump the database. + t.runTool("dump", "--out", t.ext, "--username", "backup", "--password", "pass"); + + // Drop the relevant data in the database. + admindb.auth("root", "pass"); + coll.getDB().dropDatabase(); + admindb.dropUser("backup"); + admindb.dropUser("test"); + admindb.dropRole("customRole"); + + assert.eq(2, admindb.system.users.count(), "didn't drop backup and test users"); + assert.eq(0, admindb.system.roles.count(), "didn't drop roles"); + assert.eq(0, coll.count(), "didn't drop foo coll"); + + // This test depends on W=0 to mask unique index violations. + // This should be fixed once we implement TOOLS-341 + t.runTool("restore", + "--dir", t.ext, + "--username", "restore", + "--password", "pass", + "--writeConcern", "0"); + + assert.soon("admindb.system.users.findOne()", "no data after restore"); + assert.eq(4, admindb.system.users.count(), "didn't restore users"); + assert.eq(2, admindb.system.users.getIndexes().length, + "didn't restore user indexes"); + assert.eq(1, admindb.system.roles.find({role:'customRole'}).count(), "didn't restore roles"); + assert.eq(2, admindb.system.roles.getIndexes().length, + "didn't restore role indexes"); + + admindb.logout(); + + // Login as user with customRole to verify privileges are restored. + admindb.auth("test", "pass"); + assert.eq("tomato", coll.findOne().word); + admindb.logout(); + + admindb.auth("root", "pass"); + admindb.createUser({user: "root2", pwd: "pass", roles: ["root"]}); + admindb.dropRole("customRole"); + admindb.createRole({role: "customRole2", roles: [], privileges:[]}); + admindb.dropUser("root"); + admindb.logout(); + + t.runTool("restore", + "--dir", t.ext, + "--username", "restore", + "--password", "pass", + "--drop", + "--writeConcern", "0"); + + admindb.auth("root", "pass"); + assert.soon("1 == admindb.system.users.find({user:'root'}).count()", "didn't restore users 2"); + assert.eq(0, admindb.system.users.find({user:'root2'}).count(), "didn't drop users"); + assert.eq(0, admindb.system.roles.find({role:'customRole2'}).count(), "didn't drop roles"); + assert.eq(1, admindb.system.roles.find({role:'customRole'}).count(), "didn't restore roles"); + assert.eq(2, admindb.system.users.getIndexes().length, + "didn't maintain user indexes"); + assert.eq(2, admindb.system.roles.getIndexes().length, + "didn't maintain role indexes"); + assert.eq(1, admindb.system.version.count(), "didn't restore version"); + assert.docEq(versionDoc, admindb.system.version.findOne(), + "version doc wasn't restored properly"); + admindb.logout(); + + t.stop(); + +} + +// Tests that the default auth roles of backup and restore work properly. +dumpRestoreAuth2("backup", "restore"); + +// Tests that root has backup and restore privileges too. +dumpRestoreAuth2("root", "root");
\ No newline at end of file |