diff options
48 files changed, 152 insertions, 105 deletions
diff --git a/jstests/auth/adduser_helper.js b/jstests/auth/adduser_helper.js index e49417384bb..d28da430cf2 100644 --- a/jstests/auth/adduser_helper.js +++ b/jstests/auth/adduser_helper.js @@ -11,10 +11,32 @@ var admin = conn.getDB('admin'); db.dropDatabase(); admin.dropDatabase(); -// Can't use old-form of addUser helper to make v0 users -assert.throws(function() {db.addUser('spencer', 'password'); }); -// Can't create old-style entries with new addUser helper. -assert.throws(function() {db.addUser({user:'noroles', pwd:'password'});}); +// Test that the deprecated (username,password,readonly) form of addUser still works +db.addUser('dbReadWrite', 'x'); +var userObj = db.getUser('dbReadWrite'); +assert.eq(1, userObj.roles.length); +assert.eq("dbOwner", userObj.roles[0].role); +assert.eq(db.getName(), userObj.roles[0].db); + +db.addUser('dbReadOnly', 'x', true); +userObj = db.getUser('dbReadOnly'); +assert.eq(1, userObj.roles.length); +assert.eq("read", userObj.roles[0].role); +assert.eq(db.getName(), userObj.roles[0].db); + +admin.addUser('adminReadWrite', 'x'); +userObj = admin.getUser('adminReadWrite'); +assert.eq(1, userObj.roles.length); +assert.eq("root", userObj.roles[0].role); +assert.eq("admin", userObj.roles[0].db); + +admin.addUser('adminReadOnly', 'x', true); +userObj = admin.getUser('adminReadOnly'); +assert.eq(1, userObj.roles.length); +assert.eq("readAnyDatabase", userObj.roles[0].role); +assert.eq("admin", userObj.roles[0].db); + +admin.dropDatabase(); // Create valid V2 format user db.addUser({user:'andy', pwd:'password', roles:['read']}); @@ -40,11 +62,3 @@ userObj = admin.system.users.findOne({user:'spencer', db:'$external'}); assert.eq('spencer', userObj['user']); assert.eq('$external', userObj['db']); assert(!userObj['credentials']); - - -// Create valid V2 format user using new helper format -db.addUser('bob', 'password', ['read']); -assert.eq(3, admin.system.users.count()); -userObj = admin.system.users.findOne({user:'bob'}); -assert.eq('bob', userObj['user']); -assert.eq(passwordHash('bob', 'password'), userObj['credentials']['MONGODB-CR']); diff --git a/jstests/auth/auth1.js b/jstests/auth/auth1.js index 672c0dc7a36..27d89eca3f0 100644 --- a/jstests/auth/auth1.js +++ b/jstests/auth/auth1.js @@ -18,10 +18,10 @@ tRO = dbRO[ baseName ]; db.dropAllUsers(); -db.getSisterDB( "admin" ).addUser( "super", "super", ["__system"] ); +db.getSisterDB( "admin" ).addUser({user: "super", pwd: "super", roles: ["__system"] }); db.getSisterDB("admin").auth("super", "super"); -db.addUser( "eliot" , "eliot", jsTest.basicUserRoles ); -db.addUser( "guest" , "guest", jsTest.readOnlyUserRoles ); +db.addUser({user: "eliot" , pwd: "eliot", roles: jsTest.basicUserRoles }); +db.addUser({user: "guest" , pwd: "guest", roles: jsTest.readOnlyUserRoles}); db.getSisterDB("admin").logout(); assert.throws( function() { t.findOne() }, [], "read without login" ); diff --git a/jstests/auth/auth2.js b/jstests/auth/auth2.js index 0c938f26872..f63390edf84 100644 --- a/jstests/auth/auth2.js +++ b/jstests/auth/auth2.js @@ -12,7 +12,7 @@ t.drop(); users = db.getCollection( "system.users" ); assert.eq( 0 , users.count() ); -db.addUser( "eliot" , "eliot", jsTest.adminUserRoles ); +db.addUser({user: "eliot" , pwd: "eliot", roles: jsTest.adminUserRoles}); assert.throws( function(){ db.users.count(); } ) diff --git a/jstests/auth/auth3.js b/jstests/auth/auth3.js index 36bd9e342f9..b4ac14593a7 100644 --- a/jstests/auth/auth3.js +++ b/jstests/auth/auth3.js @@ -2,7 +2,7 @@ var conn = MongoRunner.runMongod({auth : "", port : 31001}); var admin = conn.getDB("admin"); -admin.addUser("foo","bar", jsTest.adminUserRoles); +admin.addUser({user:"foo",pwd: "bar", roles: jsTest.adminUserRoles}); print("make sure curop, killop, and unlock fail"); diff --git a/jstests/auth/auth_helpers.js b/jstests/auth/auth_helpers.js index 371f09e4732..f36b8c12c1e 100644 --- a/jstests/auth/auth_helpers.js +++ b/jstests/auth/auth_helpers.js @@ -27,7 +27,7 @@ var admin = conn.getDB('admin'); var testedSomething = false; -admin.addUser('andy', 'a', jsTest.adminUserRoles); +admin.addUser({user:'andy', pwd: 'a', roles: jsTest.adminUserRoles}); // If the server supports them MONGODB-CR, try all the ways to call db.auth that use MONGODB-CR. if (hasMongoCR) { diff --git a/jstests/auth/basic_role_auth.js b/jstests/auth/basic_role_auth.js index 6f7189185ba..747ecba9eae 100644 --- a/jstests/auth/basic_role_auth.js +++ b/jstests/auth/basic_role_auth.js @@ -193,7 +193,7 @@ var testOps = function(db, allowedActions) { }); checkErr(allowedActions.hasOwnProperty('user_w'), function() { - db.addUser('a', 'a', jsTest.basicUserRoles); + db.addUser({user:'a', pwd: 'a', roles: jsTest.basicUserRoles}); db.dropUser('a'); }, db); @@ -487,7 +487,7 @@ var runTests = function(conn) { } adminDB.addUser({ user: 'root', pwd: AUTH_INFO.admin.root.pwd, - roles: AUTH_INFO.admin.root.roles }); + roles: AUTH_INFO.admin.root.roles }); adminDB.auth('root', AUTH_INFO.admin.root.pwd); for (var dbName in AUTH_INFO) { diff --git a/jstests/auth/db_multiple_login.js b/jstests/auth/db_multiple_login.js index bcb284d6848..8f72499a051 100644 --- a/jstests/auth/db_multiple_login.js +++ b/jstests/auth/db_multiple_login.js @@ -33,7 +33,7 @@ var conn = MongoRunner.runMongod({ auth: "", smallfiles: "" }); var admin = conn.getDB("admin"); var test = conn.getDB("test"); -admin.addUser('admin', 'a', jsTest.adminUserRoles); +admin.addUser({user:'admin', pwd: 'a', roles: jsTest.adminUserRoles}); assert(admin.auth('admin', 'a')); test.addUser({user: 'reader', pwd: 'a', roles: [ "read" ]}); test.addUser({user: 'writer', pwd: 'a', roles: [ "readWrite" ]}); diff --git a/jstests/auth/js_scope_leak.js b/jstests/auth/js_scope_leak.js index d3c72ca5e4e..59f384b44fd 100644 --- a/jstests/auth/js_scope_leak.js +++ b/jstests/auth/js_scope_leak.js @@ -14,8 +14,8 @@ var test = conn.getDB("test"); test.foo.insert({a:1}); test.getLastError(); assert.eq(1, test.foo.findOne().a); -test.addUser('a', 'a', jsTest.basicUserRoles); -test.addUser('b', 'b', jsTest.basicUserRoles); +test.addUser({user:'a', pwd: 'a', roles: jsTest.basicUserRoles}); +test.addUser({user:'b', pwd: 'b', roles: jsTest.basicUserRoles}); function missingOrEquals(string) { return 'function() { ' diff --git a/jstests/auth/localhostAuthBypass.js b/jstests/auth/localhostAuthBypass.js index c1b62e67c66..f5abf7b8398 100644 --- a/jstests/auth/localhostAuthBypass.js +++ b/jstests/auth/localhostAuthBypass.js @@ -12,7 +12,7 @@ var host = "localhost:" + port; var addUser = function(mongo) { print("============ adding a user."); - mongo.getDB("admin").addUser(username, password, jsTest.adminUserRoles); + mongo.getDB("admin").addUser({user:username,pwd: password, roles: jsTest.adminUserRoles}); }; var assertCannotRunCommands = function(mongo) { diff --git a/jstests/auth/log_user_basic.js b/jstests/auth/log_user_basic.js index 97945245694..ff088b53125 100644 --- a/jstests/auth/log_user_basic.js +++ b/jstests/auth/log_user_basic.js @@ -77,7 +77,7 @@ var doTest = function(conn1, conn2) { var loginUser = function(connInfo, connAuth) { var db = connInfo.mongo.getDB(connAuth.db); - db.addUser(connAuth.user, connAuth.pwd); + db.addUser({user: connAuth.user, pwd: connAuth.pwd, roles: jsTest.adminUserRoles}); db.auth(connAuth.user, connAuth.pwd); connInfo.users[connAuth.db] = connAuth.user; }; diff --git a/jstests/auth/log_userid_off.js b/jstests/auth/log_userid_off.js index 77b580a24f2..a42213fd97e 100644 --- a/jstests/auth/log_userid_off.js +++ b/jstests/auth/log_userid_off.js @@ -8,7 +8,7 @@ var doTest = function (mongo, callSetParam) { var TEST_PWD = 'bar'; var testDB = mongo.getDB('test'); - testDB.addUser(TEST_USER, TEST_PWD, jsTest.basicUserRoles); + testDB.addUser({user: TEST_USER, pwd: TEST_PWD, roles: jsTest.basicUserRoles}); testDB.auth(TEST_USER, TEST_PWD); testDB.runCommand({ dbStats: 1 }); diff --git a/jstests/auth/mr_auth.js b/jstests/auth/mr_auth.js index 2be29360025..89d08229b7d 100644 --- a/jstests/auth/mr_auth.js +++ b/jstests/auth/mr_auth.js @@ -21,10 +21,10 @@ for( var i = 0; i < 1000; i++) t.insert( {_id:i, x:i%10, y:i%100} ); assert.eq( 1000, t.count(), "inserts failed" ); d.dropAllUsers(); -d.getSisterDB( "admin" ).addUser( "admin", "admin", jsTest.adminUserRoles ); +d.getSisterDB( "admin" ).addUser({user: "admin", pwd: "admin", roles: jsTest.adminUserRoles }); d.getSisterDB( "admin" ).auth('admin', 'admin'); -d.addUser( "write" , "write", jsTest.basicUserRoles ); -d.addUser( "read" , "read", jsTest.readOnlyUserRoles ); +d.addUser({user: "write" , pwd: "write", roles: jsTest.basicUserRoles}); +d.addUser({user: "read" , pwd: "read", roles: jsTest.readOnlyUserRoles}); d.getSisterDB( "admin" ).logout(); t.mapReduce( map, red, {out: { inline: 1 }} ) diff --git a/jstests/auth/profile.js b/jstests/auth/profile.js index 5ca9f19cb65..9b828c24470 100644 --- a/jstests/auth/profile.js +++ b/jstests/auth/profile.js @@ -3,8 +3,8 @@ var conn = startMongodTest(); var db1 = conn.getDB("profile-a"); var db2 = db1.getSisterDB("profile-b"); var username = "user"; -db1.addUser(username, "password", jsTest.basicUserRoles); -db2.addUser(username, "password", jsTest.basicUserRoles); +db1.addUser({user:username, pwd: "password", roles: jsTest.basicUserRoles}); +db2.addUser({user:username, pwd: "password", roles: jsTest.basicUserRoles}); function lastOp(db) { diff --git a/jstests/auth/readIndex.js b/jstests/auth/readIndex.js index 39ef54b31f8..379d82e8ae8 100644 --- a/jstests/auth/readIndex.js +++ b/jstests/auth/readIndex.js @@ -7,8 +7,8 @@ var testDB = conn.getDB("testdb"); testDB.foo.insert({a:1}); testDB.addUser({user:'dbAdmin', - pwd:'password', - roles:['dbAdmin']}); + pwd:'password', + roles:['dbAdmin']}); testDB.auth('dbAdmin', 'password'); testDB.foo.ensureIndex({a:1}); diff --git a/jstests/auth/rename.js b/jstests/auth/rename.js index bffda60383b..99d6a7bd8a3 100644 --- a/jstests/auth/rename.js +++ b/jstests/auth/rename.js @@ -10,11 +10,11 @@ db2 = m.getDB( baseName + '_other' ) admin = m.getDB( 'admin' ) // Setup initial data -admin.addUser('admin', 'password', jsTest.adminUserRoles); +admin.addUser({user:'admin', pwd: 'password', roles: jsTest.adminUserRoles}); admin.auth('admin', 'password') -db1.addUser( "foo", "bar", jsTest.basicUserRoles ); -db2.addUser( "bar", "foo", jsTest.basicUserRoles ); +db1.addUser({user: "foo", pwd: "bar", roles: jsTest.basicUserRoles}); +db2.addUser({user: "bar", pwd: "foo", roles: jsTest.basicUserRoles}); printjson(db1.a.count()); db1.a.save({}); diff --git a/jstests/auth/server-4892.js b/jstests/auth/server-4892.js index 6bf745eedd8..ba8236d3d80 100644 --- a/jstests/auth/server-4892.js +++ b/jstests/auth/server-4892.js @@ -49,9 +49,9 @@ with_mongod( ['--noauth'], function setupTest( mongod ) { conn = new Mongo( mongod.host ); admin = conn.getDB( 'admin' ); somedb = conn.getDB( 'somedb' ); - admin.addUser( 'admin', 'admin', jsTest.adminUserRoles ); + admin.addUser({user: 'admin', pwd: 'admin', roles: jsTest.adminUserRoles}); admin.auth('admin', 'admin'); - somedb.addUser( 'frim', 'fram', jsTest.basicUserRoles ); + somedb.addUser({user: 'frim', pwd: 'fram', roles: jsTest.basicUserRoles}); somedb.data.drop(); for (var i = 0; i < 10; ++i) { somedb.data.insert( { val: i } ); diff --git a/jstests/auth/show_log_auth.js b/jstests/auth/show_log_auth.js index 57ed37abc5e..35847b30489 100644 --- a/jstests/auth/show_log_auth.js +++ b/jstests/auth/show_log_auth.js @@ -6,7 +6,7 @@ var baseName = "jstests_show_log_auth"; var m = startMongod( "--auth", "--port", port, "--dbpath", "/data/db/" + baseName, "--nohttpinterface", "--bind_ip", "127.0.0.1" , "--nojournal" , "--smallfiles" ); var db = m.getDB( "admin" ); -db.addUser( "admin" , "pass", jsTest.adminUserRoles ); +db.addUser({user: "admin" , pwd: "pass", roles: jsTest.adminUserRoles}); // Temporarily capture this shell's print() output var oldprint = print, printed = []; diff --git a/jstests/auth/system_user_privileges.js b/jstests/auth/system_user_privileges.js index 61e363a2480..d77952e446b 100644 --- a/jstests/auth/system_user_privileges.js +++ b/jstests/auth/system_user_privileges.js @@ -35,7 +35,7 @@ // // Preliminary set up. // - admin.addUser('admin', 'a', jsTest.adminUserRoles); + admin.addUser({user:'admin', pwd: 'a', roles: jsTest.adminUserRoles}); admin.auth('admin', 'a'); // diff --git a/jstests/auth1.js b/jstests/auth1.js index a5724ffba7f..8a8e036c79e 100644 --- a/jstests/auth1.js +++ b/jstests/auth1.js @@ -3,7 +3,7 @@ db.dropAllUsers(); pass = "a" + Math.random(); //print( "password [" + pass + "]" ); -db.addUser( "eliot" , pass, jsTest.basicUserRoles, 1 ); +db.addUser({user: "eliot" ,pwd: pass, roles: jsTest.basicUserRoles}); assert( db.auth( "eliot" , pass ) , "auth failed" ); assert( ! db.auth( "eliot" , pass + "a" ) , "auth should have failed" ); @@ -22,14 +22,14 @@ assert( ! db.auth( "eliot" , pass2 ) , "didn't drop user" ); var a = db.getMongo().getDB( "admin" ); a.dropAllUsers(); pass = "c" + Math.random(); -a.addUser( "super", pass, jsTest.adminUserRoles, 1 ); +a.addUser({user: "super", pwd: pass, roles: jsTest.adminUserRoles}); assert( a.auth( "super" , pass ) , "auth failed" ); assert( !a.auth( "super" , pass + "a" ) , "auth should have failed" ); db.dropAllUsers(); pass = "a" + Math.random(); -db.addUser( "eliot" , pass, jsTest.basicUserRoles, 1 ); +db.addUser({user: "eliot" , pwd: pass, roles: jsTest.basicUserRoles}); assert.commandFailed( db.runCommand( { authenticate: 1, user: "eliot", nonce: "foo", key: "bar" } ) ); @@ -38,10 +38,10 @@ assert.commandFailed( db.runCommand( { authenticate: 1, user: "eliot", nonce: "f before = a.system.users.count() assert.throws( function(){ - db.addUser( "" , "abc", jsTest.basicUserRoles, 1 ) + db.addUser({ user: "" , pwd: "abc", roles: jsTest.basicUserRoles}); } , null , "C1" ) assert.throws( function(){ - db.addUser( "abc" , "", jsTest.basicUserRoles, 1 ) + db.addUser({ user: "abc" , pwd: "", roles: jsTest.basicUserRoles}); } , null , "C2" ) diff --git a/jstests/auth_copydb2.js b/jstests/auth_copydb2.js index 68bf44ce3bf..0503ad2f0d5 100644 --- a/jstests/auth_copydb2.js +++ b/jstests/auth_copydb2.js @@ -8,7 +8,7 @@ b.dropAllUsers(); a.foo.save( { a : 1 } ); -a.addUser( "chevy" , "chase", jsTest.basicUserRoles, 1 ); +a.addUser({user: "chevy" , pwd: "chase", roles: jsTest.basicUserRoles}); assert.eq( 1 , a.foo.count() , "A" ); assert.eq( 0 , b.foo.count() , "B" ); diff --git a/jstests/connection_status.js b/jstests/connection_status.js index 0c89840967d..7485d9be963 100644 --- a/jstests/connection_status.js +++ b/jstests/connection_status.js @@ -5,7 +5,7 @@ var myDB = db.getSiblingDB(dbName); myDB.dropAllUsers(); function test(userName) { - myDB.addUser(userName, "weak password", jsTest.basicUserRoles); + myDB.addUser({user: userName, pwd: "weak password", roles: jsTest.basicUserRoles}); myDB.auth(userName, "weak password"); var output = myDB.runCommand("connectionStatus"); diff --git a/jstests/evalb.js b/jstests/evalb.js index 0ce29b2997c..4d655785397 100644 --- a/jstests/evalb.js +++ b/jstests/evalb.js @@ -16,7 +16,7 @@ function lastOp() { try { username = 'jstests_evalb_user'; - db.addUser( username, 'password', jsTest.basicUserRoles, 1 ); + db.addUser({user: username, pwd: 'password', roles: jsTest.basicUserRoles}); db.auth( username, 'password' ); t = db.evalb; diff --git a/jstests/profile1.js b/jstests/profile1.js index cdc08db5a5d..cc36cbb74dd 100644 --- a/jstests/profile1.js +++ b/jstests/profile1.js @@ -18,7 +18,7 @@ db.dropDatabase(); try { username = "jstests_profile1_user"; - db.addUser( username, "password", jsTest.basicUserRoles, 1 ); + db.addUser({user: username, pwd: "password", roles: jsTest.basicUserRoles}); db.auth( username, "password" ); function profileCursor( query ) { diff --git a/jstests/profile3.js b/jstests/profile3.js index 6c9d7dd182b..538bb2ece5d 100644 --- a/jstests/profile3.js +++ b/jstests/profile3.js @@ -16,7 +16,7 @@ profileCursor = function( query ) { try { username = "jstests_profile3_user"; - db.addUser( username, "password", jsTest.basicUserRoles, 1 ); + db.addUser({user: username, pwd: "password", roles: jsTest.basicUserRoles}); db.auth( username, "password" ); db.setProfilingLevel(0); diff --git a/jstests/profile4.js b/jstests/profile4.js index bc680dfaded..9294b26ab33 100644 --- a/jstests/profile4.js +++ b/jstests/profile4.js @@ -31,7 +31,7 @@ function checkLastOp( spec ) { try { username = "jstests_profile4_user"; - db.addUser( username, "password", jsTest.basicUserRoles, 1 ); + db.addUser({user: username, pwd: "password", roles: jsTest.basicUserRoles}); db.auth( username, "password" ); db.setProfilingLevel(0); diff --git a/jstests/repl/repl_auth.js b/jstests/repl/repl_auth.js index 56658e5ccfb..28b7ab89da3 100644 --- a/jstests/repl/repl_auth.js +++ b/jstests/repl/repl_auth.js @@ -4,7 +4,7 @@ var baseName = "jstests_repl11test"; var keyFilePath = "jstests/libs/key1"; setAdmin = function( n ) { - n.getDB( "admin" ).addUser( "super", "super", jsTest.adminUserRoles, 3 ); + n.getDB( "admin" ).addUser({user: "super", pwd: "super", roles: jsTest.adminUserRoles}, 3 ); } auth = function( n ) { @@ -16,7 +16,7 @@ doTest = function(signal, extraOpts) { rt = new ReplTest( baseName ); m = rt.start( true, {}, false, true ); - m.getDB( baseName ).addUser( "test", "test", jsTest.basicUserRoles, 3 ); + m.getDB( baseName ).addUser({user: "test", pwd: "test", roles: jsTest.basicUserRoles}, 3 ); setAdmin( m ); rt.stop( true ); diff --git a/jstests/replsets/auth1.js b/jstests/replsets/auth1.js index 84035b890d9..03d156031e1 100644 --- a/jstests/replsets/auth1.js +++ b/jstests/replsets/auth1.js @@ -36,8 +36,8 @@ run("chmod", "600", path+"key2"); print("add a user to server0: foo"); m = startMongodTest( port[0], name+"-0", 0 ); -m.getDB("admin").addUser("foo", "bar", jsTest.adminUserRoles); -m.getDB("test").addUser("bar", "baz", jsTest.basicUserRoles); +m.getDB("admin").addUser({user: "foo", pwd: "bar", roles: jsTest.adminUserRoles}); +m.getDB("test").addUser({user: "bar", pwd: "baz", roles: jsTest.basicUserRoles}); print("make sure user is written before shutting down"); m.getDB("test").getLastError(); stopMongod(port[0]); diff --git a/jstests/replsets/auth2.js b/jstests/replsets/auth2.js index eb74b883c30..7adb93a203e 100644 --- a/jstests/replsets/auth2.js +++ b/jstests/replsets/auth2.js @@ -84,7 +84,7 @@ var rs = setupReplSet(); var master = rs.getMaster(); print("add an admin user"); -master.getDB("admin").addUser("foo","bar",jsTest.adminUserRoles,3); +master.getDB("admin").addUser({user: "foo", pwd: "bar", roles: jsTest.adminUserRoles},3); m = rs.nodes[0]; print("starting 1 and 2 with key file"); diff --git a/jstests/replsets/auth3.js b/jstests/replsets/auth3.js index 624f87b4e2e..d9bd0e50275 100644 --- a/jstests/replsets/auth3.js +++ b/jstests/replsets/auth3.js @@ -7,7 +7,7 @@ rs.initiate(); master = rs.getMaster(); print("adding user"); -master.getDB("admin").addUser("foo", "bar", jsTest.adminUserRoles, 2); +master.getDB("admin").addUser({user: "foo", pwd: "bar", roles: jsTest.adminUserRoles}, 2); var checkValidState = function(i) { assert.soon(function() { diff --git a/jstests/replsets/localhostAuthBypass.js b/jstests/replsets/localhostAuthBypass.js index eef40c4a774..e171b944afc 100644 --- a/jstests/replsets/localhostAuthBypass.js +++ b/jstests/replsets/localhostAuthBypass.js @@ -11,7 +11,7 @@ var password = "bar"; var addUser = function(mongo) { print("============ adding a user."); - mongo.getDB("admin").addUser(username, password, jsTest.adminUserRoles); + mongo.getDB("admin").addUser({user: username, pwd: password, roles: jsTest.adminUserRoles}); }; var assertCannotRunCommands = function(mongo) { diff --git a/jstests/sharding/auth.js b/jstests/sharding/auth.js index 5b1e559a8c4..89d7671eea2 100644 --- a/jstests/sharding/auth.js +++ b/jstests/sharding/auth.js @@ -52,7 +52,7 @@ if (user) { } else { print("adding user"); - s.getDB(adminUser.db).addUser(adminUser.username, adminUser.password, jsTest.adminUserRoles); + s.getDB(adminUser.db).addUser({user: adminUser.username, pwd: adminUser.password, roles: jsTest.adminUserRoles}); } login(adminUser); @@ -112,7 +112,7 @@ s.getDB("admin").runCommand({shardCollection : "test.foo", key : {x : 1}}); d1.waitForState( d1.getSecondaries(), d1.SECONDARY, 5 * 60 * 1000 ) -s.getDB(testUser.db).addUser(testUser.username, testUser.password , jsTest.basicUserRoles, 3 ) +s.getDB(testUser.db).addUser({user: testUser.username, pwd: testUser.password , roles: jsTest.basicUserRoles}, 3 ) s.getDB(testUserReadOnly.db).addUser(testUserReadOnly.username, testUserReadOnly.password, jsTest.readOnlyUserRoles, diff --git a/jstests/sharding/auth2.js b/jstests/sharding/auth2.js index ecefcf4d6b3..480f5133499 100644 --- a/jstests/sharding/auth2.js +++ b/jstests/sharding/auth2.js @@ -8,7 +8,7 @@ var mongos = st.s; var adminDB = mongos.getDB('admin'); var db = mongos.getDB('test') -adminDB.addUser('admin', 'password', jsTest.adminUserRoles); +adminDB.addUser({user: 'admin', pwd: 'password', roles: jsTest.adminUserRoles}); jsTestLog( "Add user was successful" ); diff --git a/jstests/sharding/authCommands.js b/jstests/sharding/authCommands.js index 46153011c30..a8fec8de846 100644 --- a/jstests/sharding/authCommands.js +++ b/jstests/sharding/authCommands.js @@ -24,19 +24,19 @@ var rwUser = 'rwUser'; var roUser = 'roUser'; var password = 'password'; -adminDB.addUser( rwUser, password, false, st.rs0.numNodes ); +adminDB.addUser({user: rwUser, pwd: password, roles: jsTest.basicUserRoles}, st.rs0.numNodes ); assert( adminDB.auth( rwUser, password ) ); adminDB.addUser( roUser, password, true ); -testDB.addUser( rwUser, password, false, st.rs0.numNodes ); -testDB.addUser( roUser, password, true, st.rs0.numNodes ); +testDB.addUser({user: rwUser, pwd: password, roles: jsTest.basicUserRoles}, st.rs0.numNodes ); +testDB.addUser({user: roUser, pwd: password, roles: jsTest.basicUserRoles}, st.rs0.numNodes ); authenticatedConn = new Mongo( mongos.host ); authenticatedConn.getDB( 'admin' ).auth( rwUser, password ); // Add user to shards to prevent localhost connections from having automatic full access -st.rs0.getPrimary().getDB( 'admin' ).addUser( 'user', 'password', false, 3 ); -st.rs1.getPrimary().getDB( 'admin' ).addUser( 'user', 'password', false, 3 ); +st.rs0.getPrimary().getDB( 'admin' ).addUser({user: 'user', pwd: 'password', roles: jsTest.basicUserRoles}, 3 ); +st.rs1.getPrimary().getDB( 'admin' ).addUser({user: 'user', pwd: 'password', roles: jsTest.basicUserRoles}, 3 ); diff --git a/jstests/sharding/authConnectionHook.js b/jstests/sharding/authConnectionHook.js index 6c1f2d3f08e..e5b7c7c9bd7 100644 --- a/jstests/sharding/authConnectionHook.js +++ b/jstests/sharding/authConnectionHook.js @@ -7,7 +7,7 @@ var mongos = st.s; var adminDB = mongos.getDB('admin'); var db = mongos.getDB('test') -adminDB.addUser('admin', 'password', jsTest.adminUserRoles); +adminDB.addUser({user: 'admin', pwd: 'password', roles: jsTest.adminUserRoles}); adminDB.auth('admin', 'password'); diff --git a/jstests/sharding/auth_add_shard.js b/jstests/sharding/auth_add_shard.js index de518b1ab7d..ce770e65f10 100644 --- a/jstests/sharding/auth_add_shard.js +++ b/jstests/sharding/auth_add_shard.js @@ -33,7 +33,7 @@ if (user) { } else { print("adding user"); - mongos.getDB(adminUser.db).addUser(adminUser.username, adminUser.password, jsTest.adminUserRoles); + mongos.getDB(adminUser.db).addUser({user: adminUser.username, pwd: adminUser.password, roles: jsTest.adminUserRoles}); } //login as admin user diff --git a/jstests/sharding/auth_copydb.js b/jstests/sharding/auth_copydb.js index b5bcb9641e3..23fea03bdec 100644 --- a/jstests/sharding/auth_copydb.js +++ b/jstests/sharding/auth_copydb.js @@ -14,7 +14,7 @@ var sourceTestDB = sourceMongodConn.getDB('test'); sourceTestDB.foo.insert({a:1}); -destAdminDB.addUser('admin', 'password'); // Turns on access control enforcement +destAdminDB.addUser({user: 'admin', pwd: 'password', roles: jsTest.adminUserRoles}); // Turns on access control enforcement jsTestLog("Running copydb that should fail"); var res = destAdminDB.runCommand({copydb:1, diff --git a/jstests/sharding/auth_repl.js b/jstests/sharding/auth_repl.js index 871ca699bba..6aa126b3c23 100644 --- a/jstests/sharding/auth_repl.js +++ b/jstests/sharding/auth_repl.js @@ -26,11 +26,11 @@ assert(doc != null); // Add admin user using direct connection to primary to simulate connection from remote host var adminDB = primary.getDB('admin'); -adminDB.addUser('user', 'user', jsTest.adminUserRoles, nodeCount); +adminDB.addUser({user: 'user', pwd: 'user', roles: jsTest.adminUserRoles}, nodeCount); adminDB.auth('user', 'user'); var priTestDB = primary.getDB('test'); -priTestDB.addUser('a', 'a', jsTest.basicUserRoles, nodeCount); +priTestDB.addUser({user: 'a', pwd: 'a', roles: jsTest.basicUserRoles}, nodeCount); // Authenticate the replSet connection assert.eq(1, testDB.auth('a', 'a')); diff --git a/jstests/sharding/auth_slaveok_routing.js b/jstests/sharding/auth_slaveok_routing.js index cd1a0026487..1c599f208ca 100644 --- a/jstests/sharding/auth_slaveok_routing.js +++ b/jstests/sharding/auth_slaveok_routing.js @@ -38,10 +38,10 @@ var nodeCount = replTest.nodes.length; * is no admin user. */ var adminDB = mongos.getDB( 'admin' ) -adminDB.addUser('user', 'password', jsTest.adminUserRoles); +adminDB.addUser({user: 'user', pwd: 'password', roles: jsTest.adminUserRoles}); adminDB.auth( 'user', 'password' ); var priAdminDB = replTest.getPrimary().getDB( 'admin' ); -priAdminDB.addUser( 'user', 'password', jsTest.adminUserRoles, 3 ); +priAdminDB.addUser({user: 'user', pwd: 'password', roles: jsTest.adminUserRoles}, 3); coll.drop(); coll.setSlaveOk( true ); diff --git a/jstests/sharding/localhostAuthBypass.js b/jstests/sharding/localhostAuthBypass.js index 2cff2745f5c..c53442ebf25 100644 --- a/jstests/sharding/localhostAuthBypass.js +++ b/jstests/sharding/localhostAuthBypass.js @@ -12,14 +12,14 @@ var password = "bar"; var addUser = function(mongo) { print("============ adding a user."); - mongo.getDB("admin").addUser(username, password, jsTest.adminUserRoles); + mongo.getDB("admin").addUser({user: username, pwd: password, roles: jsTest.adminUserRoles}); }; var addUsersToEachShard = function(st) { for(i = 0; i < numShards; i++) { print("============ adding a user to shard " + i); var d = st["shard" + i]; - d.getDB("admin").addUser(username, password, jsTest.adminUserRoles); + d.getDB("admin").addUser({user: username, pwd: password, roles: jsTest.adminUserRoles}); } }; diff --git a/jstests/sharding/mrShardedOutputAuth.js b/jstests/sharding/mrShardedOutputAuth.js index d4fc72a280f..590b4270aec 100644 --- a/jstests/sharding/mrShardedOutputAuth.js +++ b/jstests/sharding/mrShardedOutputAuth.js @@ -53,7 +53,7 @@ var st = new ShardingTest( testName = "mrShardedOutputAuth", // setup the users to the input, output and admin databases var mongos = st.s; var adminDb = mongos.getDB("admin"); -adminDb.addUser("user", "pass", jsTest.adminUserRoles); +adminDb.addUser({user: "user", pwd: "pass", roles: jsTest.adminUserRoles}); var authenticatedConn = new Mongo(mongos.host); authenticatedConn.getDB('admin').auth("user", "pass"); @@ -62,10 +62,10 @@ adminDb = authenticatedConn.getDB("admin"); var configDb = authenticatedConn.getDB("config"); var inputDb = authenticatedConn.getDB("input") -inputDb.addUser("user", "pass", jsTest.basicUserRoles, 1); +inputDb.addUser({user: "user", pwd: "pass", roles: jsTest.basicUserRoles}); var outputDb = authenticatedConn.getDB("output"); -outputDb.addUser("user", "pass", jsTest.basicUserRoles); +outputDb.addUser({user: "user", pwd: "pass", roles: jsTest.basicUserRoles}); // setup the input db inputDb.numbers.drop(); diff --git a/jstests/slowNightly/server7428.js b/jstests/slowNightly/server7428.js index 3ce4b6eb960..1b28e3fc620 100644 --- a/jstests/slowNightly/server7428.js +++ b/jstests/slowNightly/server7428.js @@ -9,7 +9,7 @@ var fromDb = MongoRunner.runMongod({ port: 29000 }); // Setup toDb with auth var toDb = MongoRunner.runMongod({auth : "", port : 31001}); var admin = toDb.getDB("admin"); -admin.addUser("foo","bar", jsTest.adminUserRoles); +admin.addUser({user: "foo", pwd: "bar", roles: jsTest.adminUserRoles}); admin.auth("foo","bar"); admin.copyDatabase('test', 'test', fromDb.host) diff --git a/jstests/tool/dumpauth.js b/jstests/tool/dumpauth.js index 67c7b2eccc2..dfb9f8fcc90 100644 --- a/jstests/tool/dumpauth.js +++ b/jstests/tool/dumpauth.js @@ -13,7 +13,7 @@ for(var i = 0; i < 100; i++) { t["testcol"].save({ "x": i }); } -db.addUser( "testuser" , "testuser", jsTest.adminUserRoles ); +db.addUser({user: "testuser" , pwd: "testuser", roles: jsTest.adminUserRoles}); assert( db.auth( "testuser" , "testuser" ) , "auth failed" ); diff --git a/jstests/tool/dumprestore5.js b/jstests/tool/dumprestore5.js index c5f769154a4..e6c44331aad 100644 --- a/jstests/tool/dumprestore5.js +++ b/jstests/tool/dumprestore5.js @@ -6,7 +6,7 @@ t.startDB( "foo" ); db = t.db.getSiblingDB("admin") -db.addUser('user','password', jsTest.basicUserRoles) +db.addUser({user: 'user',pwd: 'password', roles: jsTest.basicUserRoles}); assert.eq(1, db.system.users.count(), "setup") assert.eq(2, db.system.indexes.count(), "setup2") @@ -25,7 +25,7 @@ assert.eq(1, db.system.users.find({user:'user'}).count(), "didn't restore users" assert.eq(2, db.system.indexes.count(), "didn't restore indexes") db.dropUser('user') -db.addUser('user2', 'password2', jsTest.basicUserRoles) +db.addUser({user: 'user2', pwd: 'password2', roles: jsTest.basicUserRoles}); t.runTool("restore", "--dir", t.ext, "--drop") diff --git a/jstests/tool/dumprestore_auth.js b/jstests/tool/dumprestore_auth.js index b37ffee9acc..38792df8e4a 100644 --- a/jstests/tool/dumprestore_auth.js +++ b/jstests/tool/dumprestore_auth.js @@ -5,7 +5,7 @@ t = new ToolTest("dumprestore_auth", { auth : "" }); c = t.startDB("foo"); adminDB = c.getDB().getSiblingDB('admin'); -adminDB.addUser('admin', 'password', ['__system']); +adminDB.addUser({user: 'admin', pwd: 'password', roles: ['__system']}); adminDB.auth('admin','password'); assert.eq(0 , c.count() , "setup1"); diff --git a/jstests/tool/restorewithauth.js b/jstests/tool/restorewithauth.js index 7e198efcbab..76d721eefd8 100644 --- a/jstests/tool/restorewithauth.js +++ b/jstests/tool/restorewithauth.js @@ -52,7 +52,7 @@ conn = startMongod( "--auth", "--port", port, "--dbpath", "/data/db/" + baseName // admin user var admin = conn.getDB( "admin" ) -admin.addUser( "admin" , "admin", jsTest.adminUserRoles ); +admin.addUser({user: "admin" , pwd: "admin", roles: jsTest.adminUserRoles}); admin.auth( "admin" , "admin" ); var foo = conn.getDB( "foo" ) @@ -92,7 +92,7 @@ foo.dropDatabase(); assert.eq(foo.system.namespaces.count({name: "foo.bar"}), 0); assert.eq(foo.system.namespaces.count({name: "foo.baz"}), 0); -foo.addUser('user', 'password', jsTest.basicUserRoles); +foo.addUser({user: 'user', pwd: 'password', roles: jsTest.basicUserRoles}); // now try to restore dump with foo database credentials x = runMongoProgram("mongorestore", diff --git a/jstests/tool/stat1.js b/jstests/tool/stat1.js index ca823f2cfb8..289a1a865af 100644 --- a/jstests/tool/stat1.js +++ b/jstests/tool/stat1.js @@ -11,7 +11,7 @@ t.drop(); db.dropAllUsers(); -db.addUser( "eliot" , "eliot", jsTest.adminUserRoles ); +db.addUser({user: "eliot" , pwd: "eliot", roles: jsTest.adminUserRoles}); assert( db.auth( "eliot" , "eliot" ) , "auth failed" ); diff --git a/jstests/user_management_helpers.js b/jstests/user_management_helpers.js index cad2de3cee9..5ccce4f7f6a 100644 --- a/jstests/user_management_helpers.js +++ b/jstests/user_management_helpers.js @@ -16,8 +16,8 @@ function assertHasRole(rolesArray, roleName, roleDB) { db.dropDatabase(); db.dropAllUsers(); - db.addUser("spencer", "password", ['readWrite']); - db.addUser("andy", "password", ['readWrite']); + db.addUser({user: "spencer", pwd: "password", roles: ['readWrite']}); + db.addUser({user: "andy", pwd: "password", roles: ['readWrite']}); // Test getUser var userObj = db.getUser('spencer'); diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js index ef48200662d..d24181cd2d1 100644 --- a/src/mongo/shell/db.js +++ b/src/mongo/shell/db.js @@ -863,7 +863,7 @@ function printUserObj(userObj) { /** * Used for creating users in systems with v1 style user information (ie MongoDB v2.4 and prior) */ -DB.prototype._createUserV1 = function(userObj, replicatedTo, timeout) { +DB.prototype._createUserWithInsert = function(userObj, replicatedTo, timeout) { var c = this.getCollection( "system.users" ); var oldPwd; if (userObj.pwd != null) { @@ -937,6 +937,15 @@ DB.prototype._createUserV1 = function(userObj, replicatedTo, timeout) { } DB.prototype._createUser = function(userObj, replicatedTo, timeout) { + var commandExisted = this._createUserWithCommand(userObj, replicatedTo, timeout); + if (!commandExisted) { + this._createUserWithInsert(userObj, replicatedTo, timeout); + } +} + +// Returns true if it worked, false if the createUser command wasn't found, and throws on all other +// failures +DB.prototype._createUserWithCommand = function(userObj, replicatedTo, timeout) { var name = userObj["user"]; var cmdObj = {createUser:name}; cmdObj = Object.extend(cmdObj, userObj); @@ -950,11 +959,11 @@ DB.prototype._createUser = function(userObj, replicatedTo, timeout) { if (res.ok) { printUserObj(userObj); - return; + return true; } if (res.errmsg == "no such cmd: createUser") { - return this._createUserV1(userObj, replicatedTo, timeout); + return false; } // We can't detect replica set shards via mongos, so we'll sometimes get this error @@ -962,27 +971,51 @@ DB.prototype._createUser = function(userObj, replicatedTo, timeout) { // the user has been written and we're happy if (res.errmsg == "norepl" || res.errmsg == "noreplset") { // nothing we can do - return; + return true; } if (res.errmsg == "timeout") { - throw "timed out while waiting for user authentication to replicate - " + - "database will not be fully secured until replication finishes" + throw Error("timed out while waiting for user authentication to replicate - " + + "database will not be fully secured until replication finishes"); } - throw "couldn't add user: " + res.errmsg; + throw Error("couldn't add user: " + res.errmsg); } function _hashPassword(username, password) { return hex_md5(username + ":mongo:" + password); } -DB.prototype._addUserExplicitArgs = function(username, password, roles, replicatedTo, timeout) { - if (password == null || password.length == 0) { - throw Error("password can't be empty"); +// We need to continue to support the addUser(username, password, readOnly) form of addUser for at +// least one release, even though its behavior of creating a super-user by default is bad. +// TODO(spencer): remove this form from v2.8 +DB.prototype._createUserDeprecatedV22Version = function(username, pass, readOnly, replicatedTo, timeout) { + print("WARNING: This form of the addUser shell helper (that takes username, password, " + + "and readOnly boolean) is DEPRECATED. Use the form that takes a user object instead"); + + if ( pass == null || pass.length == 0 ) + throw "password can't be empty"; + + var userObjForCommand = { user: username, pwd: pass }; + if (this.getName() == "admin") { + if (readOnly) { + userObjForCommand["roles"] = ['readAnyDatabase']; + } else { + userObjForCommand["roles"] = ['root']; + } + } else { + if (readOnly) { + userObjForCommand["roles"] = ['read']; + } else { + userObjForCommand["roles"] = ['dbOwner']; + } + } + + var commandExisted = this._createUserWithCommand(userObjForCommand, replicatedTo, timeout); + if (!commandExisted) { + var userObjForInsert = { user: username, pwd: pass, readOnly: readOnly || false }; + this._createUserWithInsert(userObjForInsert, replicatedTo, timeout); } - var userObj = { user: arguments[0], pwd: arguments[1], roles: arguments[2] }; - this._createUser(userObj, replicatedTo, timeout); } // TODO(spencer): properly handle write concern objects in addUser @@ -993,12 +1026,8 @@ DB.prototype.addUser = function() { if (typeof arguments[0] == "object") { this._createUser.apply(this, arguments); - } else if (Array.isArray(arguments[2])) { - this._addUserExplicitArgs.apply(this, arguments); } else { - throw Error("Invalid arguments to addUser. addUser must either be run with a full user " + - "object or with a username, password, and roles array"); - + this._createUserDeprecatedV22Version.apply(this, arguments); } } @@ -1082,6 +1111,10 @@ DB.prototype.dropUser = function( username, writeConcern ){ throw Error(res.errmsg); } +/** + * Used for removing users in systems with V1 style user information + * (ie MongoDB v2.4 and prior) + */ DB.prototype._removeUserV1 = function(username, writeConcern) { this.getCollection( "system.users" ).remove( { user : username } ); |