diff options
7 files changed, 62 insertions, 6 deletions
diff --git a/buildscripts/resmokeconfig/suites/sharding_auth.yml b/buildscripts/resmokeconfig/suites/sharding_auth.yml index 96fda18bfcb..320eb022a80 100644 --- a/buildscripts/resmokeconfig/suites/sharding_auth.yml +++ b/buildscripts/resmokeconfig/suites/sharding_auth.yml @@ -11,6 +11,7 @@ selector: exclude_files: # Skip any tests that run with auth explicitly. - jstests/sharding/*[aA]uth*.js + - jstests/sharding/advance_cluster_time_action_type.js - jstests/sharding/aggregation_currentop.js # SERVER-19318 - jstests/sharding/kill_sessions.js # Skip these additional tests when running with auth enabled. diff --git a/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml b/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml index 764552cd3ef..80991abb93e 100644 --- a/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml +++ b/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml @@ -11,6 +11,7 @@ selector: exclude_files: # Skip any tests that run with auth explicitly. - jstests/sharding/*[aA]uth*.js + - jstests/sharding/advance_cluster_time_action_type.js - jstests/sharding/aggregation_currentop.js # SERVER-19318 - jstests/sharding/kill_sessions.js # Skip these additional tests when running with auth enabled. diff --git a/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml b/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml index 4e791e023ae..d028cae92eb 100644 --- a/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml +++ b/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml @@ -12,6 +12,7 @@ selector: - jstests/sharding/mongos_rs_auth_shard_failure_tolerance.js - jstests/sharding/mrShardedOutputAuth.js - jstests/sharding/aggregation_currentop.js + - jstests/sharding/advance_cluster_time_action_type.js # Count/write/aggregate/group commands against the config shard do not support retries yet - jstests/sharding/addshard1.js - jstests/sharding/addshard2.js diff --git a/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml b/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml index 91b19e11968..b34190b9ce0 100644 --- a/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml +++ b/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml @@ -30,6 +30,7 @@ selector: # New feature in v3.6 mongos - jstests/sharding/logical_time_metadata.js # New feature in v3.6 mongos and mongod. + - jstests/sharding/advance_cluster_time_action_type.js - jstests/sharding/advance_logical_time_with_valid_signature.js - jstests/sharding/after_cluster_time.js - jstests/sharding/lookup_change_stream_post_image_id_shard_key.js diff --git a/jstests/sharding/advance_cluster_time_action_type.js b/jstests/sharding/advance_cluster_time_action_type.js new file mode 100644 index 00000000000..1497cb4e67e --- /dev/null +++ b/jstests/sharding/advance_cluster_time_action_type.js @@ -0,0 +1,52 @@ +/** + * Test a role with an advanceClusterTime action type. + */ + +(function() { + "use strict"; + + let st = new ShardingTest( + {mongos: 1, config: 1, shards: 1, keyFile: 'jstests/libs/key1', mongosWaitsForKeys: true}); + let adminDB = st.s.getDB('admin'); + + assert.commandWorked(adminDB.runCommand({createUser: "admin", pwd: "admin", roles: ["root"]})); + assert.eq(1, adminDB.auth("admin", "admin")); + + assert.commandWorked(adminDB.runCommand({ + createRole: "advanceClusterTimeRole", + privileges: [{resource: {cluster: true}, actions: ["advanceClusterTime"]}], + roles: [] + })); + + let testDB = adminDB.getSiblingDB("testDB"); + + assert.commandWorked( + testDB.runCommand({createUser: 'NotTrusted', pwd: 'pwd', roles: ['readWrite']})); + assert.commandWorked(testDB.runCommand({ + createUser: 'Trusted', + pwd: 'pwd', + roles: [{role: 'advanceClusterTimeRole', db: 'admin'}, 'readWrite'] + })); + assert.eq(1, testDB.auth("NotTrusted", "pwd")); + + let res = testDB.runCommand({insert: "foo", documents: [{_id: 0}]}); + assert.commandWorked(res); + + let clusterTime = res.$clusterTime; + let clusterTimeTS = new Timestamp(clusterTime.clusterTime.getTime() + 1000, 0); + clusterTime.clusterTime = clusterTimeTS; + + const cmdObj = {find: "foo", limit: 1, singleBatch: true, $clusterTime: clusterTime}; + jsTestLog("running NonTrusted. command: " + tojson(cmdObj)); + res = testDB.runCommand(cmdObj); + assert.commandFailed(res, "Command request was: " + tojsononeline(cmdObj)); + + assert.eq(1, testDB.auth("Trusted", "pwd")); + jsTestLog("running Trusted. command: " + tojson(cmdObj)); + res = testDB.runCommand(cmdObj); + assert.commandWorked(res, "Command request was: " + tojsononeline(cmdObj)); + + testDB.logout(); + + st.stop(); +})(); diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt index 45eedf4312f..b08591a9c10 100644 --- a/src/mongo/db/auth/action_types.txt +++ b/src/mongo/db/auth/action_types.txt @@ -5,7 +5,7 @@ # This means that the integer value assigned to each ActionType and used internally in ActionSet # also may change between versions. ["addShard", -"advanceLogicalTime", +"advanceClusterTime", "anyAction", # Special ActionType that represents *all* actions "appendOplogNote", "applicationMessage", diff --git a/src/mongo/db/logical_time_validator.cpp b/src/mongo/db/logical_time_validator.cpp index 2b336a5e561..98b217fb401 100644 --- a/src/mongo/db/logical_time_validator.cpp +++ b/src/mongo/db/logical_time_validator.cpp @@ -51,12 +51,12 @@ const auto getLogicalClockValidator = stdx::mutex validatorMutex; // protects access to decoration instance of LogicalTimeValidator. -std::vector<Privilege> advanceLogicalClockPrivilege; +std::vector<Privilege> advanceClusterTimePrivilege; -MONGO_INITIALIZER(InitializeAdvanceLogicalClockPrivilegeVector)(InitializerContext* const) { +MONGO_INITIALIZER(InitializeAdvanceClusterTimePrivilegeVector)(InitializerContext* const) { ActionSet actions; - actions.addAction(ActionType::internal); - advanceLogicalClockPrivilege.emplace_back(ResourcePattern::forClusterResource(), actions); + actions.addAction(ActionType::advanceClusterTime); + advanceClusterTimePrivilege.emplace_back(ResourcePattern::forClusterResource(), actions); return Status::OK(); } @@ -184,7 +184,7 @@ bool LogicalTimeValidator::isAuthorizedToAdvanceClock(OperationContext* opCtx) { // Note: returns true if auth is off, courtesy of // AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks. return AuthorizationSession::get(client)->isAuthorizedForPrivileges( - advanceLogicalClockPrivilege); + advanceClusterTimePrivilege); } bool LogicalTimeValidator::shouldGossipLogicalTime() { |