diff options
Diffstat (limited to 'jstests/auth/mr_auth.js')
-rw-r--r-- | jstests/auth/mr_auth.js | 104 |
1 files changed, 64 insertions, 40 deletions
diff --git a/jstests/auth/mr_auth.js b/jstests/auth/mr_auth.js index 421c5d21bf7..1adc66ea7fa 100644 --- a/jstests/auth/mr_auth.js +++ b/jstests/auth/mr_auth.js @@ -1,4 +1,5 @@ -// MapReduce executed by a read-only user when --auth enabled should only be able to use inline mode. Other modes require writing to an output collection which is not allowed. SERVER-3345 +// MapReduce executed by a read-only user when --auth enabled should only be able to use inline +// mode. Other modes require writing to an output collection which is not allowed. SERVER-3345 // // This test requires users to persist across a restart. // @tags: [requires_persistence] @@ -7,75 +8,98 @@ baseName = "jstests_mr_auth"; dbName = "test"; out = baseName + "_out"; -map = function(){ emit( this.x, this.y );}; -red = function( k, vs ){ var s=0; for (var i=0; i<vs.length; i++) s+=vs[i]; return s;}; -red2 = function( k, vs ){ return 42;}; +map = function() { + emit(this.x, this.y); +}; +red = function(k, vs) { + var s = 0; + for (var i = 0; i < vs.length; i++) + s += vs[i]; + return s; +}; +red2 = function(k, vs) { + return 42; +}; // make sure writing is allowed when started without --auth enabled dbms = MongoRunner.runMongod({bind_ip: "127.0.0.1"}); -var d = dbms.getDB( dbName ); -var t = d[ baseName ]; +var d = dbms.getDB(dbName); +var t = d[baseName]; -for( var i = 0; i < 1000; i++) t.insert( {_id:i, x:i%10, y:i%100} ); -assert.eq( 1000, t.count(), "inserts failed" ); +for (var i = 0; i < 1000; i++) + t.insert({_id: i, x: i % 10, y: i % 100}); +assert.eq(1000, t.count(), "inserts failed"); d.dropAllUsers(); -d.getSisterDB( "admin" ).createUser({user: "admin", pwd: "admin", roles: jsTest.adminUserRoles }); -d.getSisterDB( "admin" ).auth('admin', 'admin'); -d.createUser({user: "write" , pwd: "write", roles: jsTest.basicUserRoles}); -d.createUser({user: "read" , pwd: "read", roles: jsTest.readOnlyUserRoles}); -d.getSisterDB( "admin" ).logout(); +d.getSisterDB("admin").createUser({user: "admin", pwd: "admin", roles: jsTest.adminUserRoles}); +d.getSisterDB("admin").auth('admin', 'admin'); +d.createUser({user: "write", pwd: "write", roles: jsTest.basicUserRoles}); +d.createUser({user: "read", pwd: "read", roles: jsTest.readOnlyUserRoles}); +d.getSisterDB("admin").logout(); -t.mapReduce( map, red, {out: { inline: 1 }} ); +t.mapReduce(map, red, {out: {inline: 1}}); -t.mapReduce( map, red, {out: { replace: out }} ); -t.mapReduce( map, red, {out: { reduce: out }} ); -t.mapReduce( map, red, {out: { merge: out }} ); +t.mapReduce(map, red, {out: {replace: out}}); +t.mapReduce(map, red, {out: {reduce: out}}); +t.mapReduce(map, red, {out: {merge: out}}); -d[ out ].drop(); +d[out].drop(); MongoRunner.stopMongod(dbms); +// In --auth mode, read-only user should not be able to write to existing or temporary collection, +// thus only can execute inline mode -// In --auth mode, read-only user should not be able to write to existing or temporary collection, thus only can execute inline mode +dbms = MongoRunner.runMongod( + {restart: true, cleanData: false, dbpath: dbms.dbpath, auth: "", bind_ip: "127.0.0.1"}); +d = dbms.getDB(dbName); +t = d[baseName]; -dbms = MongoRunner.runMongod({restart: true, cleanData: false, dbpath: dbms.dbpath, auth: "", bind_ip: "127.0.0.1"}); -d = dbms.getDB( dbName ); -t = d[ baseName ]; +assert.throws(function() { + t.findOne(); +}, [], "read without login"); -assert.throws( function() { t.findOne(); }, [], "read without login" ); +assert.throws(function() { + t.mapReduce(map, red, {out: {inline: 1}}); +}, [], "m/r without login"); -assert.throws( function(){ t.mapReduce( map, red, {out: { inline: 1 }} ); }, [], "m/r without login" ); - - -d.auth( "read", "read" ); +d.auth("read", "read"); t.findOne(); -t.mapReduce( map, red, {out: { inline: 1 }} ); +t.mapReduce(map, red, {out: {inline: 1}}); -assert.throws( function(){ t.mapReduce( map, red2, {out: { replace: out }} ); }, [], "read-only user shouldn't be able to output m/r to a collection" ); -assert.throws( function(){ t.mapReduce( map, red2, {out: { reduce: out }} ); }, [], "read-only user shouldn't be able to output m/r to a collection" ); -assert.throws( function(){ t.mapReduce( map, red2, {out: { merge: out }} ); }, [], "read-only user shouldn't be able to output m/r to a collection" ); +assert.throws(function() { + t.mapReduce(map, red2, {out: {replace: out}}); +}, [], "read-only user shouldn't be able to output m/r to a collection"); +assert.throws(function() { + t.mapReduce(map, red2, {out: {reduce: out}}); +}, [], "read-only user shouldn't be able to output m/r to a collection"); +assert.throws(function() { + t.mapReduce(map, red2, {out: {merge: out}}); +}, [], "read-only user shouldn't be able to output m/r to a collection"); -assert.eq (0, d[ out ].count(), "output collection should be empty"); +assert.eq(0, d[out].count(), "output collection should be empty"); d.logout(); -assert.throws( function(){ t.mapReduce( map, red, {out: { replace: out }} ); }, [], "m/r without login" ); - +assert.throws(function() { + t.mapReduce(map, red, {out: {replace: out}}); +}, [], "m/r without login"); -d.auth( "write", "write" ); +d.auth("write", "write"); -t.mapReduce( map, red, {out: { inline: 1 }} ); +t.mapReduce(map, red, {out: {inline: 1}}); -t.mapReduce( map, red, {out: { replace: out }} ); -t.mapReduce( map, red, {out: { reduce: out }} ); -t.mapReduce( map, red, {out: { merge: out }} ); +t.mapReduce(map, red, {out: {replace: out}}); +t.mapReduce(map, red, {out: {reduce: out}}); +t.mapReduce(map, red, {out: {merge: out}}); // make sure it fails if output to a diff db -assert.throws(function() { t.mapReduce( map, red, {out: { replace: out, db: "admin" }} ); }); +assert.throws(function() { + t.mapReduce(map, red, {out: {replace: out, db: "admin"}}); +}); MongoRunner.stopMongod(dbms); |