summaryrefslogtreecommitdiff
path: root/jstests/auth/lib/commands_lib.js
diff options
context:
space:
mode:
Diffstat (limited to 'jstests/auth/lib/commands_lib.js')
-rw-r--r--jstests/auth/lib/commands_lib.js4878
1 files changed, 2324 insertions, 2554 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index 69339a7655a..bab46779cb6 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -197,2577 +197,2345 @@ var roles_all = {
var authCommandsLib = {
-
-
/************* TEST CASES ****************/
tests: [
{
- testname: "addShard",
- command: {addShard: "x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["addShard"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- // Test that clusterManager role has permission to run addTagRange
- testname: "addTagRange",
- command: { // addTagRange is not a "real command"; it updates config.tags
- update: "tags",
- updates: [ {
- q: {_id: { ns : "test.x" , min : 1 }},
- u: {_id: { ns : "test.x" , min : 1 },
- ns : "test.x"}
- } ] },
- skipStandalone: true,
- testcases: [
- {
- runOnDb: "config",
- roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager)
- }
- ]
- },
- {
- testname: "applyOps",
- command: {applyOps: "x"},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {anyResource: true}, actions: ["anyAction"] }
- ],
- expectFail: true
- },
- {
- runOnDb: firstDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {anyResource: true}, actions: ["anyAction"] }
- ],
- expectFail: true
- }
- ]
- },
- {
- testname: "aggregate_readonly",
- command: {aggregate: "foo", pipeline: []},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "aggregate_explain",
- command: {aggregate: "foo", explain: true, pipeline: [ {$match: {bar: 1}} ] },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "aggregate_write",
- command: {aggregate: "foo", pipeline: [ {$out: "foo_out"} ] },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: { readWrite: 1,
- readWriteAnyDatabase: 1,
- dbOwner: 1,
- root: 1,
- __system: 1},
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] },
- { resource: {db: firstDbName, collection: "foo_out"}, actions: ["insert"] },
- { resource: {db: firstDbName, collection: "foo_out"}, actions: ["remove"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["find"] },
- { resource: {db: secondDbName, collection: "foo_out"}, actions: ["insert"] },
- { resource: {db: secondDbName, collection: "foo_out"}, actions: ["remove"] }
- ]
- }
- ]
- },
- {
- testname: "aggregate_indexStats",
- command: {aggregate: "foo", pipeline: [{$indexStats: {}}]},
- setup: function (db) {
- db.createCollection("foo");
- },
- teardown: function (db) {
- db.foo.drop();
- },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- clusterMonitor: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- {resource: {anyResource: true}, actions: ["indexStats"]}
- ]
- }
- ]
- },
- {
- testname: "appendOplogNote",
- command: {appendOplogNote: 1, data: {a: 1}},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- backup: 1,
- clusterManager: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {cluster: true}, actions: ["appendOplogNote"] }
- ],
- expectFail: true, // because no replication enabled
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "authSchemaUpgrade",
- command: {authSchemaUpgrade: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- userAdminAnyDatabase: 1,
- root: 1,
- __system: 1
+ testname: "addShard",
+ command: {addShard: "x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["addShard"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ // Test that clusterManager role has permission to run addTagRange
+ testname: "addTagRange",
+ command: {
+ // addTagRange is not a "real command"; it updates config.tags
+ update: "tags",
+ updates: [{
+ q: {_id: {ns: "test.x", min: 1}},
+ u: {_id: {ns: "test.x", min: 1}, ns: "test.x"}
+ }]
+ },
+ skipStandalone: true,
+ testcases: [{
+ runOnDb: "config",
+ roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager)
+ }]
+ },
+ {
+ testname: "applyOps",
+ command: {applyOps: "x"},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {anyResource: true}, actions: ["anyAction"]}],
+ expectFail: true
+ },
+ {
+ runOnDb: firstDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {anyResource: true}, actions: ["anyAction"]}],
+ expectFail: true
+ }
+ ]
+ },
+ {
+ testname: "aggregate_readonly",
+ command: {aggregate: "foo", pipeline: []},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "foo"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "aggregate_explain",
+ command: {aggregate: "foo", explain: true, pipeline: [{$match: {bar: 1}}]},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "foo"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "aggregate_write",
+ command: {aggregate: "foo", pipeline: [{$out: "foo_out"}]},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {readWrite: 1, readWriteAnyDatabase: 1, dbOwner: 1, root: 1, __system: 1},
+ privileges: [
+ {resource: {db: firstDbName, collection: "foo"}, actions: ["find"]},
+ {resource: {db: firstDbName, collection: "foo_out"}, actions: ["insert"]},
+ {resource: {db: firstDbName, collection: "foo_out"}, actions: ["remove"]}
+ ]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [
+ {resource: {db: secondDbName, collection: "foo"}, actions: ["find"]},
+ {resource: {db: secondDbName, collection: "foo_out"}, actions: ["insert"]},
+ {resource: {db: secondDbName, collection: "foo_out"}, actions: ["remove"]}
+ ]
+ }
+ ]
+ },
+ {
+ testname: "aggregate_indexStats",
+ command: {aggregate: "foo", pipeline: [{$indexStats: {}}]},
+ setup: function(db) {
+ db.createCollection("foo");
+ },
+ teardown: function(db) {
+ db.foo.drop();
+ },
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: {clusterMonitor: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges: [{resource: {anyResource: true}, actions: ["indexStats"]}]
+ }]
+ },
+ {
+ testname: "appendOplogNote",
+ command: {appendOplogNote: 1, data: {a: 1}},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {backup: 1, clusterManager: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["appendOplogNote"]}],
+ expectFail: true, // because no replication enabled
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "authSchemaUpgrade",
+ command: {authSchemaUpgrade: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {userAdminAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["authSchemaUpgrade"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "buildInfo",
+ command: {buildInfo: 1},
+ testcases: [
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "checkShardingIndex_firstDb",
+ command: {checkShardingIndex: firstDbName + ".x", keyPattern: {_id: 1}},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ }]
+ },
+ {
+ testname: "checkShardingIndex_secondDb",
+ command: {checkShardingIndex: secondDbName + ".x", keyPattern: {_id: 1}},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges: [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }]
+ },
+ {
+ testname: "cleanupOrphaned",
+ command: {cleanupOrphaned: firstDbName + ".x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["cleanupOrphaned"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "cloneCollection_1",
+ command: {cloneCollection: firstDbName + ".x"},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: roles_write,
+ privileges: [{
+ resource: {db: firstDbName, collection: "x"},
+ actions: ["insert", "createIndex"]
+ }],
+ expectFail: true
+ }]
+ },
+ {
+ testname: "cloneCollection_2",
+ command: {cloneCollection: secondDbName + ".x"},
+ skipSharded: true,
+ testcases: [{
+ runOnDb: secondDbName,
+ roles: {readWriteAnyDatabase: 1, restore: 1, root: 1, __system: 1},
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["insert", "createIndex"]
+ }],
+ expectFail: true
+ }]
+ },
+ {
+ testname: "cloneCollectionAsCapped",
+ command: {cloneCollectionAsCapped: "x", toCollection: "y", size: 1000},
+ skipSharded: true,
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ db.y.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {readWrite: 1, readWriteAnyDatabase: 1, dbOwner: 1, root: 1, __system: 1},
+ privileges: [
+ {
+ resource: {db: firstDbName, collection: "y"},
+ actions: ["insert", "createIndex", "convertToCapped"]
},
- privileges: [
- { resource: {cluster: true}, actions: ["authSchemaUpgrade"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "buildInfo",
- command: {buildInfo: 1},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_all,
- privileges: [ ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_all,
- privileges: [ ]
- }
- ]
- },
- {
- testname: "checkShardingIndex_firstDb",
- command: {checkShardingIndex: firstDbName + ".x", keyPattern: {_id: 1} },
- skipSharded: true,
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "checkShardingIndex_secondDb",
- command: {checkShardingIndex: secondDbName + ".x", keyPattern: {_id: 1} },
- skipSharded: true,
- testcases: [
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "cleanupOrphaned",
- command: {cleanupOrphaned: firstDbName + ".x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["cleanupOrphaned"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "cloneCollection_1",
- command: {cloneCollection: firstDbName + ".x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_write,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["insert", "createIndex"] }
- ],
- expectFail: true
- }
- ]
- },
- {
- testname: "cloneCollection_2",
- command: {cloneCollection: secondDbName + ".x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: secondDbName,
- roles: {readWriteAnyDatabase: 1, restore: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["insert", "createIndex"] }
- ],
- expectFail: true
- }
- ]
- },
- {
- testname: "cloneCollectionAsCapped",
- command: {cloneCollectionAsCapped: "x", toCollection: "y", size: 1000},
- skipSharded: true,
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) {
- db.x.drop();
- db.y.drop();
- },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: { readWrite: 1,
- readWriteAnyDatabase: 1,
- dbOwner: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: "y"}, actions: ["insert", "createIndex", "convertToCapped"] },
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: secondDbName, collection: "y"}, actions: ["insert", "createIndex", "convertToCapped"] },
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "collMod",
- command: {collMod: "foo", usePowerOf2Sizes: true},
- setup: function (db) { db.foo.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: Object.extend({restore: 1}, roles_dbAdmin),
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["collMod"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: Object.extend({restore:1}, roles_dbAdminAny),
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["collMod"] }
- ]
- }
- ]
- },
- {
- testname: "collStats",
- command: {collStats: "bar", scale: 1},
- setup: function (db) { db.bar.save( {} ); },
- teardown: function (db) { db.dropDatabase(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- read: 1,
- readAnyDatabase: 1,
- readWrite: 1,
- readWriteAnyDatabase: 1,
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- backup: 1,
- root: 1,
- __system: 1
+ {resource: {db: firstDbName, collection: "x"}, actions: ["find"]}
+ ]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [
+ {
+ resource: {db: secondDbName, collection: "y"},
+ actions: ["insert", "createIndex", "convertToCapped"]
},
- privileges: [
- { resource: {db: firstDbName, collection: "bar"}, actions: ["collStats"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {
- readAnyDatabase: 1,
- readWriteAnyDatabase: 1,
- dbAdminAnyDatabase: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- backup: 1,
- root: 1,
- __system: 1
+ {resource: {db: secondDbName, collection: "x"}, actions: ["find"]}
+ ]
+ }
+ ]
+ },
+ {
+ testname: "collMod",
+ command: {collMod: "foo", usePowerOf2Sizes: true},
+ setup: function(db) {
+ db.foo.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: Object.extend({restore: 1}, roles_dbAdmin),
+ privileges:
+ [{resource: {db: firstDbName, collection: "foo"}, actions: ["collMod"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: Object.extend({restore: 1}, roles_dbAdminAny),
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["collMod"]}]
+ }
+ ]
+ },
+ {
+ testname: "collStats",
+ command: {collStats: "bar", scale: 1},
+ setup: function(db) {
+ db.bar.save({});
+ },
+ teardown: function(db) {
+ db.dropDatabase();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ backup: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: "bar"}, actions: ["collStats"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {
+ readAnyDatabase: 1,
+ readWriteAnyDatabase: 1,
+ dbAdminAnyDatabase: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ backup: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: secondDbName, collection: "bar"}, actions: ["collStats"]}]
+ }
+ ]
+ },
+ {
+ testname: "compact",
+ command: {compact: "foo"},
+ skipSharded: true,
+ setup: function(db) {
+ db.foo.save({});
+ },
+ teardown: function(db) {
+ db.dropDatabase();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "foo"}, actions: ["compact"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["compact"]}]
+ }
+ ]
+ },
+ {
+ testname: "connectionStatus",
+ command: {connectionStatus: 1},
+ testcases: [
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "connPoolStats",
+ command: {connPoolStats: 1},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["connPoolStats"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["connPoolStats"]}]
+ }
+ ]
+ },
+ {
+ testname: "connPoolSync",
+ command: {connPoolSync: 1},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["connPoolSync"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["connPoolSync"]}]
+ }
+ ]
+ },
+ {
+ testname: "convertToCapped",
+ command: {convertToCapped: "toCapped", size: 1000},
+ setup: function(db) {
+ db.toCapped.save({});
+ },
+ teardown: function(db) {
+ db.toCapped.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_writeDbAdmin,
+ privileges: [{
+ resource: {db: firstDbName, collection: "toCapped"},
+ actions: ["convertToCapped"]
+ }]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_writeDbAdminAny,
+ privileges: [{
+ resource: {db: secondDbName, collection: "toCapped"},
+ actions: ["convertToCapped"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "copydb",
+ command: {copydb: 1, fromdb: firstDbName, todb: secondDbName},
+ skipSharded: true, // Does not work sharded due to SERVER-13080
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [
+ {resource: {db: firstDbName, collection: ""}, actions: ["find"]},
+ {resource: {db: firstDbName, collection: "system.js"}, actions: ["find"]},
+ {
+ resource: {db: secondDbName, collection: ""},
+ actions: ["insert", "createIndex"]
},
- privileges: [
- { resource: {db: secondDbName, collection: "bar"}, actions: ["collStats"] }
- ]
- }
- ]
- },
- {
- testname: "compact",
- command: {compact: "foo"},
- skipSharded: true,
- setup: function (db) { db.foo.save( {} ); },
- teardown: function (db) { db.dropDatabase(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["compact"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["compact"] }
- ]
- }
- ]
- },
- {
- testname: "connectionStatus",
- command: {connectionStatus: 1},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_all,
- privileges: [ ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_all,
- privileges: [ ]
- }
- ]
- },
- {
- testname: "connPoolStats",
- command: {connPoolStats: 1},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["connPoolStats"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["connPoolStats"] }
- ]
- }
- ]
- },
- {
- testname: "connPoolSync",
- command: {connPoolSync: 1},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["connPoolSync"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["connPoolSync"] }
- ]
- }
- ]
- },
- {
- testname: "convertToCapped",
- command: {convertToCapped: "toCapped", size: 1000},
- setup: function (db) { db.toCapped.save( {} ); },
- teardown: function (db) { db.toCapped.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_writeDbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "toCapped"}, actions:["convertToCapped"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_writeDbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "toCapped"}, actions:["convertToCapped"] }
- ]
- }
- ]
- },
- {
- testname: "copydb",
- command: {copydb: 1, fromdb: firstDbName, todb: secondDbName},
- skipSharded: true, // Does not work sharded due to SERVER-13080
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions:["find"] },
- { resource: {db: firstDbName, collection: "system.js"}, actions:["find"] },
- { resource: {db: secondDbName, collection: ""},
- actions:["insert", "createIndex"] },
- { resource: {db: secondDbName, collection: "system.js"}, actions:["insert"] },
- ]
- },
- ]
- },
- {
- testname: "count",
- command: {count: "x"},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "create",
- command: {create: "x"},
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: Object.extend({restore:1}, roles_writeDbAdmin),
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["createCollection"] }
- ]
- },
- {
- runOnDb: firstDbName,
- roles: Object.extend({restore:1}, roles_writeDbAdmin),
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["insert"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: Object.extend({restore:1}, roles_writeDbAdminAny),
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["createCollection"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: Object.extend({restore:1}, roles_writeDbAdminAny),
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["insert"] }
- ]
- }
- ]
- },
- {
- testname: "create_capped",
- command: {create: "x", capped: true, size: 1000},
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_writeDbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["createCollection", "convertToCapped"] }
- ]
- },
- {
- runOnDb: firstDbName,
- roles: roles_writeDbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["insert", "convertToCapped"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_writeDbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["createCollection", "convertToCapped"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_writeDbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["insert", "convertToCapped"] }
- ]
- }
- ]
- },
- {
- testname: "createIndexes",
- command: {createIndexes: "x", indexes: [{ns: firstDbName + ".x", key: {a:1}, name: "a_1"}] },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: Object.extend({readWrite: 1,
- readWriteAnyDatabase: 1,
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- restore: 1,
- root: 1,
- __system: 1}),
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["createIndex"] }
- ]
- }
- ]
- },
- {
- testname: "currentOp",
- command: {currentOp: 1, $all: true},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["inprog"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "currentOpCtx",
- command: {currentOpCtx: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["inprog"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["inprog"] }
- ]
- }
- ]
- },
- {
- testname: "dataSize_1",
- command: {dataSize: firstDbName + ".x"},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "dataSize_2",
- command: {dataSize: secondDbName + ".x"},
- testcases: [
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "dbHash",
- command: {dbHash: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: firstDbName,
- roles: { read: 1,
- readAnyDatabase: 1,
- readWrite: 1,
- readWriteAnyDatabase: 1,
- dbOwner: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions: ["dbHash"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: { readAnyDatabase: 1,
- readWriteAnyDatabase: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: secondDbName, collection: ""}, actions: ["dbHash"] }
- ]
- }
- ]
- },
- {
- testname: "dbStats",
- command: {dbStats: 1, scale: 1024},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- read: 1,
- readAnyDatabase: 1,
- readWrite: 1,
- readWriteAnyDatabase: 1,
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions: ["dbStats"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {
- readAnyDatabase: 1,
- readWriteAnyDatabase: 1,
- dbAdminAnyDatabase: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: secondDbName, collection: ""}, actions: ["dbStats"] }
- ]
- }
- ]
- },
- {
- testname: "diagLogging",
- command: {diagLogging: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["diagLogging"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "distinct",
- command: {distinct: "coll", key: "a", query: {}},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "coll"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "coll"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "drop",
- command: {drop: "x"},
- setup: function (db) { db.x.save({}); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: Object.extend({restore: 1}, roles_writeDbAdmin),
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["dropCollection"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: Object.extend({restore: 1}, roles_writeDbAdminAny),
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["dropCollection"] }
- ]
- }
- ]
- },
- {
- testname: "dropDatabase",
- command: {dropDatabase: 1},
- setup: function (db) { db.x.save({}); },
- teardown: function (db) { db.x.save({}); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions: ["dropDatabase"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {
- dbAdminAnyDatabase: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: secondDbName, collection: ""}, actions: ["dropDatabase"] }
- ]
- }
- ]
- },
- {
- testname: "dropIndexes",
- command: {dropIndexes: "x", index: "*"},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_writeDbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["dropIndex"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_writeDbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["dropIndex"] }
- ]
- }
- ]
- },
- {
- testname: "enableSharding",
- command: {enableSharding: "x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: Object.extend({enableSharding:1}, roles_clusterManager),
- privileges: [
- { resource: {db: "x", collection: ""}, actions: ["enableSharding"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "eval",
- command: {$eval: function () { print("noop"); } },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {anyResource: true}, actions: ["anyAction"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {anyResource: true}, actions: ["anyAction"] }
- ]
- }
- ]
- },
- {
- testname: "features",
- command: {features: 1},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_all,
- privilegesRequired: [ ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_all,
- privilegesRequired: [ ]
- }
- ]
- },
- {
- testname: "filemd5",
- command: {filemd5: 1, root: "fs"},
- setup: function (db) {
- db.fs.chunks.drop();
- db.fs.chunks.insert({files_id: 1, n: 0, data: new BinData(0, "test")});
- db.fs.chunks.ensureIndex({files_id: 1, n: 1});
- },
- teardown: function (db) {
- db.fs.chunks.drop();
- },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: ""}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "find",
- command: {find: "foo"},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "findWithTerm",
- command: {find: "foo", limit: -1, term: NumberLong(1)},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] },
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true // because of invalid limit
- },
- ]
- },
- {
- testname: "findAndModify",
- command: {findAndModify: "x", query: {_id: "abc"}, update: {$inc: {n: 1}}},
- setup: function (db) {
- db.x.drop();
- db.x.save( {_id: "abc", n: 0} );
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: { readWrite: 1,
- readWriteAnyDatabase: 1,
- dbOwner: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find", "update"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find", "update"] }
- ]
- }
- ]
- },
- {
- testname: "flushRouterConfig",
- command: {flushRouterConfig: 1},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: Object.extend({clusterManager: 1}, roles_hostManager),
- privileges: [
- { resource: {cluster: true}, actions: ["flushRouterConfig"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "fsync",
- command: {fsync: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["fsync"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "fsyncUnlock",
- command: {fsyncUnlock: 1},
- skipSharded: true, // TODO: remove when fsyncUnlock is implemented in mongos
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["unlock"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "geoNear",
- command: {geoNear: "x", near: [50, 50], num: 1},
- setup: function (db) {
- db.x.drop();
- db.x.save({loc: [50, 50]});
- db.x.ensureIndex({loc: "2d"});
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "geoSearch",
- command: {geoSearch: "x", near: [50, 50], maxDistance: 6, limit: 1, search: {} },
- skipSharded: true,
- setup: function (db) {
- db.x.drop();
- db.x.save({loc: {long: 50, lat: 50}});
- db.x.ensureIndex({loc: "geoHaystack", type: 1}, {bucketSize: 1});
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "getCmdLineOpts",
- command: {getCmdLineOpts: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["getCmdLineOpts"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "getLastError",
- command: {getLastError: 1},
- testcases: [
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "getLog",
- command: {getLog: "*"},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["getLog"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "getMore",
- command: {getMore: NumberLong("1"), collection: "foo"},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] }
- ],
- expectFail: true
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["find"] }
- ],
- expectFail: true
- }
- ]
- },
- {
- testname: "getMoreWithTerm",
- command: {getMore: NumberLong("1"), collection: "foo", term: NumberLong(1)},
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["find"] },
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- }
- ]
- },
- {
- testname: "getnonce",
- command: {getnonce: 1},
- testcases: [
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "getParameter",
- command: {getParameter: 1, quiet: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: { backup: 1,
- restore: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {cluster: true}, actions: ["getParameter"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "getPrevError",
- command: {getPrevError: 1},
- skipSharded: true,
- testcases: [
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "getShardMap",
- command: {getShardMap: "x"},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["getShardMap"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "getShardVersion",
- command: {getShardVersion: "test.foo"},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {db: "test", collection: 'foo'}, actions: ["getShardVersion"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "group",
- command: {
- group: {
- ns: "x",
- key: {groupby: 1},
- initial: {total: 0},
- $reduce: function (curr, result) {
- result.total += curr.n;
+ {resource: {db: secondDbName, collection: "system.js"}, actions: ["insert"]},
+ ]
+ },
+ ]
+ },
+ {
+ testname: "count",
+ command: {count: "x"},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "create",
+ command: {create: "x"},
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: Object.extend({restore: 1}, roles_writeDbAdmin),
+ privileges: [{
+ resource: {db: firstDbName, collection: "x"},
+ actions: ["createCollection"]
+ }]
+ },
+ {
+ runOnDb: firstDbName,
+ roles: Object.extend({restore: 1}, roles_writeDbAdmin),
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["insert"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: Object.extend({restore: 1}, roles_writeDbAdminAny),
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["createCollection"]
+ }]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: Object.extend({restore: 1}, roles_writeDbAdminAny),
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["insert"]}]
+ }
+ ]
+ },
+ {
+ testname: "create_capped",
+ command: {create: "x", capped: true, size: 1000},
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_writeDbAdmin,
+ privileges: [{
+ resource: {db: firstDbName, collection: "x"},
+ actions: ["createCollection", "convertToCapped"]
+ }]
+ },
+ {
+ runOnDb: firstDbName,
+ roles: roles_writeDbAdmin,
+ privileges: [{
+ resource: {db: firstDbName, collection: "x"},
+ actions: ["insert", "convertToCapped"]
+ }]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_writeDbAdminAny,
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["createCollection", "convertToCapped"]
+ }]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_writeDbAdminAny,
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["insert", "convertToCapped"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "createIndexes",
+ command:
+ {createIndexes: "x", indexes: [{ns: firstDbName + ".x", key: {a: 1}, name: "a_1"}]},
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: Object.extend({
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ restore: 1,
+ root: 1,
+ __system: 1
+ }),
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["createIndex"]}]
+ }]
+ },
+ {
+ testname: "currentOp",
+ command: {currentOp: 1, $all: true},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["inprog"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "currentOpCtx",
+ command: {currentOpCtx: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["inprog"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["inprog"]}]
+ }
+ ]
+ },
+ {
+ testname: "dataSize_1",
+ command: {dataSize: firstDbName + ".x"},
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ }]
+ },
+ {
+ testname: "dataSize_2",
+ command: {dataSize: secondDbName + ".x"},
+ testcases: [{
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges: [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }]
+ },
+ {
+ testname: "dbHash",
+ command: {dbHash: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbOwner: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [{resource: {db: firstDbName, collection: ""}, actions: ["dbHash"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {readAnyDatabase: 1, readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges:
+ [{resource: {db: secondDbName, collection: ""}, actions: ["dbHash"]}]
+ }
+ ]
+ },
+ {
+ testname: "dbStats",
+ command: {dbStats: 1, scale: 1024},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [{resource: {db: firstDbName, collection: ""}, actions: ["dbStats"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {
+ readAnyDatabase: 1,
+ readWriteAnyDatabase: 1,
+ dbAdminAnyDatabase: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: secondDbName, collection: ""}, actions: ["dbStats"]}]
+ }
+ ]
+ },
+ {
+ testname: "diagLogging",
+ command: {diagLogging: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["diagLogging"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "distinct",
+ command: {distinct: "coll", key: "a", query: {}},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges:
+ [{resource: {db: firstDbName, collection: "coll"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "coll"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "drop",
+ command: {drop: "x"},
+ setup: function(db) {
+ db.x.save({});
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: Object.extend({restore: 1}, roles_writeDbAdmin),
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["dropCollection"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: Object.extend({restore: 1}, roles_writeDbAdminAny),
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["dropCollection"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "dropDatabase",
+ command: {dropDatabase: 1},
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.save({});
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: ""}, actions: ["dropDatabase"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {dbAdminAnyDatabase: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges:
+ [{resource: {db: secondDbName, collection: ""}, actions: ["dropDatabase"]}]
+ }
+ ]
+ },
+ {
+ testname: "dropIndexes",
+ command: {dropIndexes: "x", index: "*"},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_writeDbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["dropIndex"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_writeDbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["dropIndex"]}]
+ }
+ ]
+ },
+ {
+ testname: "enableSharding",
+ command: {enableSharding: "x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: Object.extend({enableSharding: 1}, roles_clusterManager),
+ privileges: [{resource: {db: "x", collection: ""}, actions: ["enableSharding"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "eval",
+ command: {
+ $eval: function() {
+ print("noop");
+ }
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {anyResource: true}, actions: ["anyAction"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {anyResource: true}, actions: ["anyAction"]}]
+ }
+ ]
+ },
+ {
+ testname: "features",
+ command: {features: 1},
+ testcases: [
+ {runOnDb: firstDbName, roles: roles_all, privilegesRequired: []},
+ {runOnDb: secondDbName, roles: roles_all, privilegesRequired: []}
+ ]
+ },
+ {
+ testname: "filemd5",
+ command: {filemd5: 1, root: "fs"},
+ setup: function(db) {
+ db.fs.chunks.drop();
+ db.fs.chunks.insert({files_id: 1, n: 0, data: new BinData(0, "test")});
+ db.fs.chunks.ensureIndex({files_id: 1, n: 1});
+ },
+ teardown: function(db) {
+ db.fs.chunks.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: ""}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges: [{resource: {db: secondDbName, collection: ""}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "find",
+ command: {find: "foo"},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "foo"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "findWithTerm",
+ command: {find: "foo", limit: -1, term: NumberLong(1)},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {__system: 1},
+ privileges: [
+ {resource: {db: firstDbName, collection: "foo"}, actions: ["find"]},
+ {resource: {cluster: true}, actions: ["internal"]}
+ ],
+ expectFail: true // because of invalid limit
+ },
+ ]
+ },
+ {
+ testname: "findAndModify",
+ command: {findAndModify: "x", query: {_id: "abc"}, update: {$inc: {n: 1}}},
+ setup: function(db) {
+ db.x.drop();
+ db.x.save({_id: "abc", n: 0});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {readWrite: 1, readWriteAnyDatabase: 1, dbOwner: 1, root: 1, __system: 1},
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["find", "update"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["find", "update"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "flushRouterConfig",
+ command: {flushRouterConfig: 1},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: Object.extend({clusterManager: 1}, roles_hostManager),
+ privileges: [{resource: {cluster: true}, actions: ["flushRouterConfig"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "fsync",
+ command: {fsync: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["fsync"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "fsyncUnlock",
+ command: {fsyncUnlock: 1},
+ skipSharded: true, // TODO: remove when fsyncUnlock is implemented in mongos
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["unlock"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "geoNear",
+ command: {geoNear: "x", near: [50, 50], num: 1},
+ setup: function(db) {
+ db.x.drop();
+ db.x.save({loc: [50, 50]});
+ db.x.ensureIndex({loc: "2d"});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "geoSearch",
+ command: {geoSearch: "x", near: [50, 50], maxDistance: 6, limit: 1, search: {}},
+ skipSharded: true,
+ setup: function(db) {
+ db.x.drop();
+ db.x.save({loc: {long: 50, lat: 50}});
+ db.x.ensureIndex({loc: "geoHaystack", type: 1}, {bucketSize: 1});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "getCmdLineOpts",
+ command: {getCmdLineOpts: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["getCmdLineOpts"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "getLastError",
+ command: {getLastError: 1},
+ testcases: [
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "getLog",
+ command: {getLog: "*"},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["getLog"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "getMore",
+ command: {getMore: NumberLong("1"), collection: "foo"},
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "foo"}, actions: ["find"]}],
+ expectFail: true
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges: [{resource: {db: secondDbName, collection: "foo"}, actions: ["find"]}],
+ expectFail: true
+ }
+ ]
+ },
+ {
+ testname: "getMoreWithTerm",
+ command: {getMore: NumberLong("1"), collection: "foo", term: NumberLong(1)},
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: {__system: 1},
+ privileges: [
+ {resource: {db: firstDbName, collection: "foo"}, actions: ["find"]},
+ {resource: {cluster: true}, actions: ["internal"]}
+ ],
+ expectFail: true
+ }]
+ },
+ {
+ testname: "getnonce",
+ command: {getnonce: 1},
+ testcases: [
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "getParameter",
+ command: {getParameter: 1, quiet: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {
+ backup: 1,
+ restore: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [{resource: {cluster: true}, actions: ["getParameter"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "getPrevError",
+ command: {getPrevError: 1},
+ skipSharded: true,
+ testcases: [
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "getShardMap",
+ command: {getShardMap: "x"},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["getShardMap"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "getShardVersion",
+ command: {getShardVersion: "test.foo"},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges:
+ [{resource: {db: "test", collection: 'foo'}, actions: ["getShardVersion"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "group",
+ command: {
+ group: {
+ ns: "x",
+ key: {groupby: 1},
+ initial: {total: 0},
+ $reduce: function(curr, result) {
+ result.total += curr.n;
+ }
+ }
+ },
+ setup: function(db) {
+ db.x.insert({groupby: 1, n: 5});
+ db.x.insert({groupby: 1, n: 6});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "hostInfo",
+ command: {hostInfo: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["hostInfo"]}]
+ },
+ {
+ runOnDb: firstDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["hostInfo"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["hostInfo"]}]
+ }
+ ]
+ },
+ {
+ testname: "isMaster",
+ command: {isMaster: 1},
+ testcases: [
+ {runOnDb: adminDbName, roles: roles_all, privileges: []},
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "killCursors",
+ command: {killCursors: "foo", cursors: [NumberLong("123")]},
+ skipSharded: true, // TODO enable when killCursors command is implemented on mongos
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbOwner: 1,
+ hostManager: 1,
+ clusterAdmin: 1,
+ backup: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: "foo"}, actions: ["killCursors"]}],
+ expectFail: true
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {
+ readAnyDatabase: 1,
+ readWriteAnyDatabase: 1,
+ hostManager: 1,
+ clusterAdmin: 1,
+ backup: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["killCursors"]}],
+ expectFail: true
+ }
+ ]
+ },
+ {
+ testname: "killOp", // standalone version
+ command: {killOp: 1, op: 123},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["killop"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "killOp", // sharded version
+ command: {killOp: 1, op: "shard1:123"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["killop"]}],
+ expectFail: true // we won't be able to find the shardId
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "listCommands",
+ command: {listCommands: 1},
+ testcases: [
+ {runOnDb: adminDbName, roles: roles_all, privileges: []},
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "listDatabases",
+ command: {listDatabases: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {
+ readAnyDatabase: 1,
+ readWriteAnyDatabase: 1,
+ dbAdminAnyDatabase: 1,
+ userAdminAnyDatabase: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ backup: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [{resource: {cluster: true}, actions: ["listDatabases"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "listCollections",
+ command: {listCollections: 1},
+ setup: function(db) {
+ db.x.insert({_id: 5});
+ db.y.insert({_id: 6});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ db.y.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ clusterAdmin: 1,
+ clusterMonitor: 1,
+ clusterManager: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ backup: 1,
+ restore: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: ""}, actions: ["listCollections"]}]
+ },
+ // Test legacy (pre 3.0) way of authorizing listCollections.
+ {
+ runOnDb: firstDbName,
+ privileges: [{
+ resource: {db: firstDbName, collection: "system.namespaces"},
+ actions: ["find"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "listIndexes",
+ command: {listIndexes: "x"},
+ setup: function(db) {
+ db.x.insert({_id: 5});
+ db.x.insert({_id: 6});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ backup: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: ""}, actions: ["listIndexes"]}]
+ },
+ // Test legacy (pre 3.0) way of authorizing listIndexes.
+ {
+ runOnDb: firstDbName,
+ privileges: [{
+ resource: {db: firstDbName, collection: "system.indexes"},
+ actions: ["find"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "listShards",
+ command: {listShards: 1},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: Object.extend({clusterManager: 1}, roles_monitoring),
+ privileges: [{resource: {cluster: true}, actions: ["listShards"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "logRotate",
+ command: {logRotate: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["logRotate"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "mapReduce_readonly",
+ command: {
+ mapreduce: "x",
+ map: function() {
+ emit(this.groupby, this.n);
+ },
+ reduce: function(id, emits) {
+ return Array.sum(emits);
+ },
+ out: {inline: 1}
+ },
+ setup: function(db) {
+ db.x.insert({groupby: 1, n: 5});
+ db.x.insert({groupby: 1, n: 6});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_read,
+ privileges: [{resource: {db: firstDbName, collection: "x"}, actions: ["find"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["find"]}]
+ }
+ ]
+ },
+ {
+ testname: "mapReduce_write",
+ command: {
+ mapreduce: "x",
+ map: function() {
+ emit(this.groupby, this.n);
+ },
+ reduce: function(id, emits) {
+ return Array.sum(emits);
+ },
+ out: "mr_out"
+ },
+ setup: function(db) {
+ db.x.insert({groupby: 1, n: 5});
+ db.x.insert({groupby: 1, n: 6});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {readWrite: 1, readWriteAnyDatabase: 1, dbOwner: 1, root: 1, __system: 1},
+ privileges: [
+ {resource: {db: firstDbName, collection: "x"}, actions: ["find"]},
+ {
+ resource: {db: firstDbName, collection: "mr_out"},
+ actions: ["insert", "remove"]
}
- }
- },
- setup: function (db) {
- db.x.insert({groupby: 1, n: 5});
- db.x.insert({groupby: 1, n: 6});
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "hostInfo",
- command: {hostInfo: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["hostInfo"] }
- ]
- },
- {
- runOnDb: firstDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["hostInfo"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["hostInfo"] }
- ]
- }
- ]
- },
- {
- testname: "isMaster",
- command: {isMaster: 1},
- testcases: [
- { runOnDb: adminDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "killCursors",
- command: {killCursors: "foo", cursors: [NumberLong("123")]},
- skipSharded: true, // TODO enable when killCursors command is implemented on mongos
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- read: 1,
- readAnyDatabase: 1,
- readWrite: 1,
- readWriteAnyDatabase: 1,
- dbOwner: 1,
- hostManager: 1,
- clusterAdmin: 1,
- backup: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: "foo"}, actions: ["killCursors"] }
- ],
- expectFail: true
- },
- {
- runOnDb: secondDbName,
- roles: {
- readAnyDatabase: 1,
- readWriteAnyDatabase: 1,
- hostManager: 1,
- clusterAdmin: 1,
- backup: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: secondDbName, collection: "foo"}, actions: ["killCursors"] }
- ],
- expectFail: true
- }
- ]
- },
- {
- testname: "killOp", // standalone version
- command: {killOp: 1, op: 123},
- skipSharded: true,
- testcases : [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["killop"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "killOp", // sharded version
- command: {killOp: 1, op: "shard1:123"},
- skipStandalone: true,
- testcases : [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["killop"] }
- ],
- expectFail: true // we won't be able to find the shardId
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "listCommands",
- command: {listCommands: 1},
- testcases: [
- { runOnDb: adminDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "listDatabases",
- command: {listDatabases: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- readAnyDatabase: 1,
- readWriteAnyDatabase: 1,
- dbAdminAnyDatabase: 1,
- userAdminAnyDatabase: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- backup: 1,
- root: 1,
- __system: 1
+ ]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [
+ {resource: {db: secondDbName, collection: "x"}, actions: ["find"]},
+ {
+ resource: {db: secondDbName, collection: "mr_out"},
+ actions: ["insert", "remove"]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ testname: "s_mergeChunks",
+ command: {mergeChunks: "test.x", bounds: [{i: 0}, {i: 5}]},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "test", collection: "x"}, actions: ["splitChunk"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "d_mergeChunks",
+ command: {mergeChunks: "test.x", bounds: [{i: 0}, {i: 5}]},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "s_moveChunk",
+ command: {moveChunk: "test.x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "test", collection: "x"}, actions: ["moveChunk"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "d_moveChunk",
+ command: {moveChunk: "test.x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "movePrimary",
+ command: {movePrimary: "x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "x", collection: ""}, actions: ["moveChunk"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "netstat",
+ command: {netstat: "x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["netstat"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "planCacheIndexFilter",
+ command: {planCacheClearFilters: "x"},
+ skipSharded: true,
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges: [{
+ resource: {db: firstDbName, collection: "x"},
+ actions: ["planCacheIndexFilter"]
+ }],
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges: [{
+ resource: {db: secondDbName, collection: "x"},
+ actions: ["planCacheIndexFilter"]
+ }],
+ },
+ ]
+ },
+ {
+ testname: "planCacheRead",
+ command: {planCacheListQueryShapes: "x"},
+ skipSharded: true,
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_readDbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["planCacheRead"]}],
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_readDbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["planCacheRead"]}],
+ },
+ ]
+ },
+ {
+ testname: "planCacheWrite",
+ command: {planCacheClear: "x"},
+ skipSharded: true,
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["planCacheWrite"]}],
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["planCacheWrite"]}],
+ },
+ ]
+ },
+ {
+ testname: "ping",
+ command: {ping: 1},
+ testcases: [
+ {runOnDb: adminDbName, roles: roles_all, privileges: []},
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "profile",
+ command: {profile: 0},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: ""}, actions: ["enableProfiler"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges: [{
+ resource: {db: secondDbName, collection: ""},
+ actions: ["enableProfiler"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "profileGetLevel",
+ command: {profile: -1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ backup: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [{
+ resource: {db: firstDbName, collection: "system.profile"},
+ actions: ["find"]
+ }]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {
+ backup: 1,
+ dbAdminAnyDatabase: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [{
+ resource: {db: secondDbName, collection: "system.profile"},
+ actions: ["find"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "renameCollection_sameDb",
+ command:
+ {renameCollection: firstDbName + ".x", to: firstDbName + ".y", dropTarget: true},
+ setup: function(db) {
+ db.getSisterDB(firstDbName).x.save({});
+ },
+ teardown: function(db) {
+ db.getSisterDB(firstDbName).x.drop();
+ db.getSisterDB(firstDbName).y.drop();
+ },
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_writeDbAdmin,
+ privileges: [
+ {
+ resource: {db: firstDbName, collection: ""},
+ actions: ["renameCollectionSameDB"]
},
- privileges: [
- { resource: {cluster: true}, actions: ["listDatabases"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "listCollections",
- command: {listCollections: 1},
- setup: function (db) {
- db.x.insert({_id: 5});
- db.y.insert({_id: 6});
- },
- teardown: function (db) {
- db.x.drop();
- db.y.drop();
- },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- read: 1,
- readAnyDatabase: 1,
- readWrite: 1,
- readWriteAnyDatabase: 1,
- clusterAdmin: 1,
- clusterMonitor: 1,
- clusterManager: 1,
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- backup: 1,
- restore: 1,
- root: 1,
- __system: 1
+ {resource: {db: firstDbName, collection: "y"}, actions: ["dropCollection"]}
+ ]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ // Make sure that you cannot use renameCollectionSameDB to rename from a collection you
+ // don't have read access on to one that you do.
+ testname: "renameCollection_sameDb_failure",
+ command: {renameCollection: firstDbName + ".x", to: firstDbName + ".y"},
+ setup: function(db) {
+ db.getSisterDB(firstDbName).x.save({});
+ },
+ teardown: function(db) {
+ db.getSisterDB(firstDbName).x.drop();
+ db.getSisterDB(firstDbName).y.drop();
+ },
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ privileges: [
+ {
+ resource: {db: firstDbName, collection: ""},
+ actions: ["renameCollectionSameDB"]
},
- privileges: [
- {
- resource: {db: firstDbName, collection: ""},
- actions: ["listCollections"]
- }
- ]
- },
- // Test legacy (pre 3.0) way of authorizing listCollections.
- {
- runOnDb: firstDbName,
- privileges: [
- {
- resource: {db: firstDbName, collection: "system.namespaces"},
- actions: ["find"]
- }
- ]
- }
- ]
- },
- {
- testname: "listIndexes",
- command: {listIndexes: "x"},
- setup: function (db) {
- db.x.insert({_id: 5});
- db.x.insert({_id: 6});
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- read: 1,
- readAnyDatabase: 1,
- readWrite: 1,
- readWriteAnyDatabase: 1,
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- backup: 1,
- root: 1,
- __system: 1
+ {resource: {db: firstDbName, collection: "y"}, actions: ["find"]}
+ ],
+ expectAuthzFailure: true
+ },
+ ]
+ },
+ {
+ testname: "renameCollection_twoDbs",
+ command: {renameCollection: firstDbName + ".x", to: secondDbName + ".y"},
+ setup: function(db) {
+ db.getSisterDB(firstDbName).x.save({});
+ db.getSisterDB(adminDbName).runCommand({movePrimary: firstDbName, to: shard0name});
+ db.getSisterDB(adminDbName).runCommand({movePrimary: secondDbName, to: shard0name});
+ },
+ teardown: function(db) {
+ db.getSisterDB(firstDbName).x.drop();
+ db.getSisterDB(secondDbName).y.drop();
+ },
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
+ privileges: [
+ {
+ resource: {db: firstDbName, collection: "x"},
+ actions: ["find", "dropCollection"]
},
- privileges: [
- {
- resource: {db: firstDbName, collection: ""},
- actions: ["listIndexes"]
- }
- ]
- },
- // Test legacy (pre 3.0) way of authorizing listIndexes.
- {
- runOnDb: firstDbName,
- privileges: [
- {
- resource: {db: firstDbName, collection: "system.indexes"},
- actions: ["find"]
- }
- ]
- }
- ]
- },
- {
- testname: "listShards",
- command: {listShards: 1},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: Object.extend({clusterManager: 1}, roles_monitoring),
- privileges: [
- { resource: {cluster: true}, actions: ["listShards"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "logRotate",
- command: {logRotate: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["logRotate"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "mapReduce_readonly",
- command: {
- mapreduce: "x",
- map: function () { emit(this.groupby, this.n); },
- reduce: function (id,emits) { return Array.sum(emits); },
- out: {inline: 1}
- },
- setup: function (db) {
- db.x.insert({groupby: 1, n: 5});
- db.x.insert({groupby: 1, n: 6});
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_read,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_readAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] }
- ]
- }
- ]
- },
- {
- testname: "mapReduce_write",
- command: {
- mapreduce: "x",
- map: function () { emit(this.groupby, this.n); },
- reduce: function (id,emits) { return Array.sum(emits); },
- out: "mr_out"
- },
- setup: function (db) {
- db.x.insert({groupby: 1, n: 5});
- db.x.insert({groupby: 1, n: 6});
- },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: { readWrite: 1,
- readWriteAnyDatabase: 1,
- dbOwner: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find"] },
- { resource: {db: firstDbName, collection: "mr_out"}, actions: ["insert", "remove"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["find"] },
- { resource: {db: secondDbName, collection: "mr_out"}, actions: ["insert", "remove"] }
- ]
- }
- ]
- },
- {
- testname: "s_mergeChunks",
- command: {mergeChunks: "test.x", bounds: [{i : 0}, {i : 5}]},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["splitChunk"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "d_mergeChunks",
- command: {mergeChunks: "test.x", bounds: [{i : 0}, {i : 5}]},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: { __system: 1 },
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "s_moveChunk",
- command: {moveChunk: "test.x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["moveChunk"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "d_moveChunk",
- command: {moveChunk: "test.x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: { __system: 1 },
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "movePrimary",
- command: {movePrimary: "x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "x", collection: ""}, actions: ["moveChunk"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "netstat",
- command: {netstat: "x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["netstat"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "planCacheIndexFilter",
- command: {planCacheClearFilters: "x"},
- skipSharded: true,
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
+ {
+ resource: {db: secondDbName, collection: "y"},
+ actions: ["insert", "createIndex"]
+ }
+ ]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "reIndex",
+ command: {reIndex: "x"},
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["reIndex"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["reIndex"]}]
+ }
+ ]
+ },
+ {
+ testname: "removeShard",
+ command: {removeShard: "x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["removeShard"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "repairDatabase",
+ command: {repairDatabase: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles:
+ {dbAdminAnyDatabase: 1, hostManager: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges:
+ [{resource: {db: adminDbName, collection: ""}, actions: ["repairDatabase"]}]
+ },
+ {
+ runOnDb: firstDbName,
+ roles: {
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ hostManager: 1,
+ clusterAdmin: 1,
+ dbOwner: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: ""}, actions: ["repairDatabase"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles:
+ {dbAdminAnyDatabase: 1, hostManager: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges: [{
+ resource: {db: secondDbName, collection: ""},
+ actions: ["repairDatabase"]
+ }]
+ }
+ ]
+ },
+ {
+ testname: "replSetElect",
+ command: {replSetElect: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetFreeze",
+ command: {replSetFreeze: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["replSetStateChange"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetFresh",
+ command: {replSetFresh: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetGetRBID",
+ command: {replSetGetRBID: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetGetStatus",
+ command: {replSetGetStatus: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles:
+ {clusterMonitor: 1, clusterManager: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["replSetGetStatus"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetGetConfig",
+ command: {replSetGetConfig: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles:
+ {clusterMonitor: 1, clusterManager: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["replSetGetConfig"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetHeartbeat",
+ command: {replSetHeartbeat: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetInitiate",
+ command: {replSetInitiate: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["replSetConfigure"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetMaintenance",
+ command: {replSetMaintenance: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["replSetStateChange"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetReconfig",
+ command: {replSetReconfig: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["replSetConfigure"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetStepDown",
+ command: {replSetStepDown: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["replSetStateChange"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "replSetSyncFrom",
+ command: {replSetSyncFrom: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {cluster: true}, actions: ["replSetStateChange"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "resetError",
+ command: {resetError: 1},
+ testcases: [
+ {runOnDb: adminDbName, roles: roles_all, privileges: []},
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
+ },
+ {
+ testname: "resync",
+ command: {resync: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {hostManager: 1, clusterManager: 1, clusterAdmin: 1, root: 1, __system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["resync"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "serverStatus",
+ command: {serverStatus: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["serverStatus"]}]
+ },
+ {
+ runOnDb: firstDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["serverStatus"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["serverStatus"]}]
+ }
+ ]
+ },
+ {
+ testname: "setParameter",
+ command: {setParameter: 1, quiet: 1},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["setParameter"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "setShardVersion",
+ command: {setShardVersion: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "shardCollection",
+ command: {shardCollection: "test.x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: Object.extend({enableSharding: 1}, roles_clusterManager),
+ privileges:
+ [{resource: {db: "test", collection: "x"}, actions: ["enableSharding"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "shardingState",
+ command: {shardingState: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["shardingState"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "shutdown",
+ command: {shutdown: 1},
+ testcases: [{runOnDb: firstDbName, roles: {}}, {runOnDb: secondDbName, roles: {}}]
+ },
+ {
+ testname: "split",
+ command: {split: "test.x"},
+ skipStandalone: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "test", collection: "x"}, actions: ["splitChunk"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "splitChunk",
+ command: {splitChunk: "test.x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "splitVector",
+ command: {splitVector: "test.x"},
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "test", collection: "x"}, actions: ["splitVector"]}],
+ expectFail: true
+ },
+ {
+ runOnDb: firstDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "test", collection: "x"}, actions: ["splitVector"]}],
+ expectFail: true
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_clusterManager,
+ privileges: [{resource: {db: "test", collection: "x"}, actions: ["splitVector"]}],
+ expectFail: true
+ }
+ ]
+ },
+ /* temporarily removed see SERVER-13555
+ {
+ testname: "storageDetails",
+ command: {storageDetails: "x", analyze: "diskStorage"},
+ skipSharded: true,
+ setup: function (db) { db.x.save( {} ); },
+ teardown: function (db) { db.x.drop(); },
+ testcases: [
{
- resource: {db: firstDbName, collection: "x"},
- actions: ["planCacheIndexFilter"]
- }
- ],
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges: [
+ { resource: {db: firstDbName, collection: "x"}, actions:
+ ["storageDetails"] }
+ ]
+ },
{
- resource: {db: secondDbName, collection: "x"},
- actions: ["planCacheIndexFilter"]
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges: [
+ { resource: {db: secondDbName, collection: "x"}, actions:
+ ["storageDetails"] }
+ ]
}
- ],
- },
- ]
- },
- {
- testname: "planCacheRead",
- command: {planCacheListQueryShapes: "x"},
- skipSharded: true,
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_readDbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["planCacheRead"] }
- ],
- },
- {
- runOnDb: secondDbName,
- roles: roles_readDbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["planCacheRead"] }
- ],
- },
- ]
- },
- {
- testname: "planCacheWrite",
- command: {planCacheClear: "x"},
- skipSharded: true,
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["planCacheWrite"] }
- ],
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["planCacheWrite"] }
- ],
- },
- ]
- },
- {
- testname: "ping",
- command: {ping: 1},
- testcases: [
- { runOnDb: adminDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "profile",
- command: {profile: 0},
- skipSharded: true,
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions: ["enableProfiler"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: ""}, actions: ["enableProfiler"] }
- ]
- }
- ]
- },
- {
- testname: "profileGetLevel",
- command: {profile: -1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: firstDbName,
- roles: {
- backup: 1,
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- dbOwner: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: "system.profile"},
- actions: ["find"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {
- backup: 1,
- dbAdminAnyDatabase: 1,
- clusterMonitor: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: secondDbName, collection: "system.profile"},
- actions: ["find"] }
]
- }
- ]
- },
- {
- testname: "renameCollection_sameDb",
- command: {renameCollection: firstDbName + ".x",
- to: firstDbName + ".y",
- dropTarget: true},
- setup: function (db) { db.getSisterDB(firstDbName).x.save( {} ); },
- teardown: function (db) {
- db.getSisterDB(firstDbName).x.drop();
- db.getSisterDB(firstDbName).y.drop();
- },
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_writeDbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: ""},
- actions: ["renameCollectionSameDB"] },
- { resource: {db: firstDbName, collection: "y"},
- actions: ["dropCollection"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- // Make sure that you cannot use renameCollectionSameDB to rename from a collection you
- // don't have read access on to one that you do.
- testname: "renameCollection_sameDb_failure",
- command: {renameCollection: firstDbName + ".x", to: firstDbName + ".y"},
- setup: function (db) { db.getSisterDB(firstDbName).x.save( {} ); },
- teardown: function (db) {
- db.getSisterDB(firstDbName).x.drop();
- db.getSisterDB(firstDbName).y.drop();
- },
- testcases: [
- {
- runOnDb: adminDbName,
- privileges: [
- { resource: {db: firstDbName, collection: ""},
- actions: ["renameCollectionSameDB"] },
- { resource: {db: firstDbName, collection: "y"}, actions: ["find"] }
- ],
- expectAuthzFailure: true
- },
- ]
- },
- {
- testname: "renameCollection_twoDbs",
- command: {renameCollection: firstDbName + ".x", to: secondDbName + ".y"},
- setup: function (db) {
- db.getSisterDB(firstDbName).x.save( {} );
- db.getSisterDB(adminDbName).runCommand({movePrimary: firstDbName, to: shard0name});
- db.getSisterDB(adminDbName).runCommand({movePrimary: secondDbName, to: shard0name});
- },
- teardown: function (db) {
- db.getSisterDB(firstDbName).x.drop();
- db.getSisterDB(secondDbName).y.drop();
- },
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {readWriteAnyDatabase: 1, root: 1, __system: 1},
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["find", "dropCollection"] },
- { resource: {db: secondDbName, collection: "y"}, actions: ["insert", "createIndex"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "reIndex",
- command: {reIndex: "x"},
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["reIndex"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["reIndex"] }
- ]
- }
- ]
- },
- {
- testname: "removeShard",
- command: {removeShard: "x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["removeShard"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "repairDatabase",
- command: {repairDatabase: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- dbAdminAnyDatabase: 1,
- hostManager: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: adminDbName, collection: ""}, actions: ["repairDatabase"] }
- ]
- },
- {
- runOnDb: firstDbName,
- roles: {
- dbAdmin: 1,
- dbAdminAnyDatabase: 1,
- hostManager: 1,
- clusterAdmin: 1,
- dbOwner: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: firstDbName, collection: ""}, actions: ["repairDatabase"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: {
- dbAdminAnyDatabase: 1,
- hostManager: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {db: secondDbName, collection: ""}, actions: ["repairDatabase"] }
- ]
- }
- ]
- },
- {
- testname: "replSetElect",
- command: {replSetElect: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetFreeze",
- command: {replSetFreeze: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["replSetStateChange"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetFresh",
- command: {replSetFresh: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetGetRBID",
- command: {replSetGetRBID: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetGetStatus",
- command: {replSetGetStatus: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- clusterMonitor: 1,
- clusterManager: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {cluster: true}, actions: ["replSetGetStatus"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetGetConfig",
- command: {replSetGetConfig: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- clusterMonitor: 1,
- clusterManager: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {cluster: true}, actions: ["replSetGetConfig"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetHeartbeat",
- command: {replSetHeartbeat: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetInitiate",
- command: {replSetInitiate: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["replSetConfigure"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetMaintenance",
- command: {replSetMaintenance: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["replSetStateChange"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetReconfig",
- command: {replSetReconfig: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["replSetConfigure"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetStepDown",
- command: {replSetStepDown: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["replSetStateChange"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "replSetSyncFrom",
- command: {replSetSyncFrom: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {cluster: true}, actions: ["replSetStateChange"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "resetError",
- command: {resetError: 1},
- testcases: [
- { runOnDb: adminDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
- },
- {
- testname: "resync",
- command: {resync: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- hostManager: 1,
- clusterManager: 1,
- clusterAdmin: 1,
- root: 1,
- __system: 1
- },
- privileges: [
- { resource: {cluster: true}, actions: ["resync"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "serverStatus",
- command: {serverStatus: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["serverStatus"] }
- ]
- },
- {
- runOnDb: firstDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["serverStatus"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["serverStatus"] }
- ]
- }
- ]
- },
- {
- testname: "setParameter",
- command: {setParameter: 1, quiet: 1},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["setParameter"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "setShardVersion",
- command: {setShardVersion: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "shardCollection",
- command: {shardCollection: "test.x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: Object.extend({enableSharding:1}, roles_clusterManager),
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["enableSharding"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "shardingState",
- command: {shardingState: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["shardingState"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "shutdown",
- command: {shutdown: 1},
- testcases: [
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "split",
- command: {split: "test.x"},
- skipStandalone: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["splitChunk"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "splitChunk",
- command: {splitChunk: "test.x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: { __system: 1 },
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "splitVector",
- command: {splitVector: "test.x"},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["splitVector"] }
- ],
- expectFail: true
- },
- {
- runOnDb: firstDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["splitVector"] }
- ],
- expectFail: true
- },
- {
- runOnDb: secondDbName,
- roles: roles_clusterManager,
- privileges: [
- { resource: {db: "test", collection: "x"}, actions: ["splitVector"] }
- ],
- expectFail: true
- }
- ]
- },
-/* temporarily removed see SERVER-13555
- {
- testname: "storageDetails",
- command: {storageDetails: "x", analyze: "diskStorage"},
- skipSharded: true,
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["storageDetails"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["storageDetails"] }
- ]
- }
- ]
- }, */
- {
- testname: "top",
- command: {top: 1},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_monitoring,
- privileges: [
- { resource: {cluster: true}, actions: ["top"] }
- ]
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "touch",
- command: {touch: "x", data: true, index: false},
- skipSharded: true,
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: adminDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["touch"] }
- ]
- },
- {
- runOnDb: firstDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["touch"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_hostManager,
- privileges: [
- { resource: {cluster: true}, actions: ["touch"] }
- ]
- }
- ]
- },
- {
- testname: "unsetSharding",
- command: {unsetSharding: "x"},
- skipSharded: true,
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {__system: 1},
- privileges: [
- { resource: {cluster: true}, actions: ["internal"] }
- ],
- expectFail: true
- },
- { runOnDb: firstDbName, roles: {} },
- { runOnDb: secondDbName, roles: {} }
- ]
- },
- {
- testname: "validate",
- command: {validate: "x"},
- setup: function (db) { db.x.save( {} ); },
- teardown: function (db) { db.x.drop(); },
- testcases: [
- {
- runOnDb: firstDbName,
- roles: roles_dbAdmin,
- privileges: [
- { resource: {db: firstDbName, collection: "x"}, actions: ["validate"] }
- ]
- },
- {
- runOnDb: secondDbName,
- roles: roles_dbAdminAny,
- privileges: [
- { resource: {db: secondDbName, collection: "x"}, actions: ["validate"] }
- ]
- }
- ]
- },
- {
- // Test that the root role has the privilege to validate any system.* collection
- testname: "validate_system",
- command: {validate: "system.users"},
- testcases: [
- {
- runOnDb: adminDbName,
- roles: {
- root: 1,
- __system: 1
- }
- }
- ]
- },
- {
- testname: "whatsmyuri",
- command: {whatsmyuri: 1},
- testcases: [
- { runOnDb: adminDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: firstDbName, roles: roles_all, privileges: [ ] },
- { runOnDb: secondDbName, roles: roles_all, privileges: [ ] }
- ]
+ }, */
+ {
+ testname: "top",
+ command: {top: 1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_monitoring,
+ privileges: [{resource: {cluster: true}, actions: ["top"]}]
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "touch",
+ command: {touch: "x", data: true, index: false},
+ skipSharded: true,
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["touch"]}]
+ },
+ {
+ runOnDb: firstDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["touch"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_hostManager,
+ privileges: [{resource: {cluster: true}, actions: ["touch"]}]
+ }
+ ]
+ },
+ {
+ testname: "unsetSharding",
+ command: {unsetSharding: "x"},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: adminDbName,
+ roles: {__system: 1},
+ privileges: [{resource: {cluster: true}, actions: ["internal"]}],
+ expectFail: true
+ },
+ {runOnDb: firstDbName, roles: {}},
+ {runOnDb: secondDbName, roles: {}}
+ ]
+ },
+ {
+ testname: "validate",
+ command: {validate: "x"},
+ setup: function(db) {
+ db.x.save({});
+ },
+ teardown: function(db) {
+ db.x.drop();
+ },
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_dbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["validate"]}]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_dbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["validate"]}]
+ }
+ ]
+ },
+ {
+ // Test that the root role has the privilege to validate any system.* collection
+ testname: "validate_system",
+ command: {validate: "system.users"},
+ testcases: [{runOnDb: adminDbName, roles: {root: 1, __system: 1}}]
+ },
+ {
+ testname: "whatsmyuri",
+ command: {whatsmyuri: 1},
+ testcases: [
+ {runOnDb: adminDbName, roles: roles_all, privileges: []},
+ {runOnDb: firstDbName, roles: roles_all, privileges: []},
+ {runOnDb: secondDbName, roles: roles_all, privileges: []}
+ ]
}
],
-
/************* SHARED TEST LOGIC ****************/
/**
@@ -2844,7 +2612,9 @@ var authCommandsLib = {
failures = failures.concat(res);
}
- failures.forEach(function(i) { jsTest.log(i); });
+ failures.forEach(function(i) {
+ jsTest.log(i);
+ });
assert.eq(0, failures.length);
}
View Lorry Controller Status