diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2018-10-10 19:46:46 +0000 |
|---|---|---|
| committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-10-11 20:27:14 +0000 |
| commit | 02455d9de270cf612329425301478262cb30af1f (patch) | |
| tree | 27d3e7f45a4139e4547d1bb4cbf9f0f3bf322557 /jstests | |
| parent | 480af6017647716bd2d087c6d772ef44db47c4cc (diff) | |
| download | mongo-02455d9de270cf612329425301478262cb30af1f.tar.gz | |
SERVER-37551 Add authorizedDatabases param to listDatabases command
Diffstat (limited to 'jstests')
| -rw-r--r-- | jstests/auth/list_databases.js | 130 |
1 files changed, 86 insertions, 44 deletions
diff --git a/jstests/auth/list_databases.js b/jstests/auth/list_databases.js index 830160ce332..6a32111852a 100644 --- a/jstests/auth/list_databases.js +++ b/jstests/auth/list_databases.js @@ -3,55 +3,97 @@ (function() { 'use strict'; - const mongod = MongoRunner.runMongod({auth: ""}); - const admin = mongod.getDB('admin'); + function runTest(mongod) { + const admin = mongod.getDB('admin'); + admin.createUser({user: 'admin', pwd: 'pass', roles: jsTest.adminUserRoles}); + assert(admin.auth('admin', 'pass')); - admin.createUser({user: 'admin', pwd: 'pass', roles: jsTest.adminUserRoles}); - assert(admin.auth('admin', 'pass')); + // Establish db0..db7 + for (let i = 0; i < 8; ++i) { + mongod.getDB('db' + i).foo.insert({bar: "baz"}); + } - // Establish db0..db7 - for (let i = 0; i < 8; ++i) { - mongod.getDB('db' + i).foo.insert({bar: "baz"}); - } + admin.createRole({ + role: 'dbLister', + privileges: [{resource: {cluster: true}, actions: ['listDatabases']}], + roles: [] + }); - // Make db0, db2, db4, db6 readable to user1 abd user3. - // Make db0, db1, db2, db3 read/writable to user 2 and user3. - function makeRole(perm, dbNum) { - return {role: perm, db: ("db" + dbNum)}; - } - const readEven = [0, 2, 4, 6].map(function(i) { - return makeRole("read", i); - }); - const readWriteLow = [0, 1, 2, 3].map(function(i) { - return makeRole("readWrite", i); - }); - admin.createUser({user: 'user1', pwd: 'pass', roles: readEven}); - admin.createUser({user: 'user2', pwd: 'pass', roles: readWriteLow}); - admin.createUser({user: 'user3', pwd: 'pass', roles: readEven.concat(readWriteLow)}); - admin.logout(); - - var admin_dbs = ["admin", "db0", "db1", "db2", "db3", "db4", "db5", "db6", "db7"]; - // mobile storage engine might not have a local database - if (jsTest.options().storageEngine !== "mobile") { - admin_dbs.push("local"); - } + // Make db0, db2, db4, db6 readable to user1 abd user3. + // Make db0, db1, db2, db3 read/writable to user 2 and user3. + function makeRole(perm, dbNum) { + return {role: perm, db: ("db" + dbNum)}; + } + const readEven = [0, 2, 4, 6].map(function(i) { + return makeRole("read", i); + }); + const readWriteLow = [0, 1, 2, 3].map(function(i) { + return makeRole("readWrite", i); + }); + admin.createUser({user: 'user1', pwd: 'pass', roles: readEven}); + admin.createUser({user: 'user2', pwd: 'pass', roles: readWriteLow}); + admin.createUser({user: 'user3', pwd: 'pass', roles: readEven.concat(readWriteLow)}); - [{user: "user1", dbs: ["db0", "db2", "db4", "db6"]}, - {user: "user2", dbs: ["db0", "db1", "db2", "db3"]}, - {user: "user3", dbs: ["db0", "db1", "db2", "db3", "db4", "db6"]}, - {user: "admin", dbs: admin_dbs}, - ].forEach(function(test) { - admin.auth(test.user, 'pass'); - const dbs = assert.commandWorked(admin.runCommand({listDatabases: 1})); - assert.eq(dbs.databases - .map(function(db) { - return db.name; - }) - .sort(), - test.dbs, - test.user + " permissions"); + // Make db4 readable by user 4, and let them list all dbs. + // Make db5 readable by user 5, and let them list all dbs. + admin.createUser({user: 'user4', pwd: 'pass', roles: [makeRole('read', 4), 'dbLister']}); + admin.createUser({user: 'user5', pwd: 'pass', roles: [makeRole('read', 5), 'dbLister']}); admin.logout(); - }); + const admin_dbs = ["admin", "db0", "db1", "db2", "db3", "db4", "db5", "db6", "db7"]; + + [{user: "user1", dbs: ["db0", "db2", "db4", "db6"]}, + {user: "user2", dbs: ["db0", "db1", "db2", "db3"]}, + {user: "user3", dbs: ["db0", "db1", "db2", "db3", "db4", "db6"]}, + {user: "user4", dbs: admin_dbs, authDbs: ["db4"]}, + {user: "user5", dbs: admin_dbs, authDbs: ["db5"]}, + {user: "admin", dbs: admin_dbs, authDbs: admin_dbs}, + ].forEach(function(test) { + function tryList(cmd, expect_dbs) { + const dbs = assert.commandWorked(admin.runCommand(cmd)); + assert.eq(dbs.databases + .map(function(db) { + return db.name; + }) + .filter(function(db) { + // Returning of local/config varies with sharding/mobile/etc.. + // Ignore these for simplicity. + return (db !== 'local') && (db !== 'config'); + }) + .sort(), + expect_dbs, + test.user + " permissions"); + } + + admin.auth(test.user, 'pass'); + tryList({listDatabases: 1}, test.dbs); + tryList({listDatabases: 1, authorizedDatabases: true}, test.authDbs || test.dbs); + + if (test.authDbs) { + tryList({listDatabases: 1, authorizedDatabases: false}, test.dbs); + } else { + // Users without listDatabases cliuster perm may not + // request authorizedDatabases: false. + assert.throws(tryList, [{listDatabases: 1, authorizedDatabases: false}, test.dbs]); + } + + admin.logout(); + }); + } + + const mongod = MongoRunner.runMongod({auth: ""}); + runTest(mongod); MongoRunner.stopMongod(mongod); + + if (jsTest.options().storageEngine !== "mobile") { + // TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed. + const st = new ShardingTest({ + shards: 1, + mongos: 1, + config: 1, + other: {keyFile: 'jstests/libs/key1', shardAsReplicaSet: false} + }); + runTest(st.s0); + st.stop(); + } })(); |