summaryrefslogtreecommitdiff
path: root/jstests/auth/user_defined_roles_on_secondaries.js
diff options
context:
space:
mode:
Diffstat (limited to 'jstests/auth/user_defined_roles_on_secondaries.js')
-rw-r--r--jstests/auth/user_defined_roles_on_secondaries.js354
1 files changed, 169 insertions, 185 deletions
diff --git a/jstests/auth/user_defined_roles_on_secondaries.js b/jstests/auth/user_defined_roles_on_secondaries.js
index 4ca2d14f651..959b76a3cae 100644
--- a/jstests/auth/user_defined_roles_on_secondaries.js
+++ b/jstests/auth/user_defined_roles_on_secondaries.js
@@ -36,193 +36,177 @@
(function() {
-var name = 'user_defined_roles_on_secondaries';
-var m0, m1;
-
-function assertListContainsRole(list, role, msg) {
- var i;
- for (i = 0; i < list.length; ++i) {
- if (list[i].role == role.role && list[i].db == role.db)
- return;
+ var name = 'user_defined_roles_on_secondaries';
+ var m0, m1;
+
+ function assertListContainsRole(list, role, msg) {
+ var i;
+ for (i = 0; i < list.length; ++i) {
+ if (list[i].role == role.role && list[i].db == role.db)
+ return;
+ }
+ doassert("Could not find value " + tojson(val) + " in " +
+ tojson(list)(msg ? ": " + msg : ""));
}
- doassert("Could not find value " + tojson(val) + " in " + tojson(list)
- (msg ? ": " + msg : ""));
-}
-
-//
-// Create a 1-node replicaset and add two roles, inheriting the built-in read role on db1.
-//
-// read
-// / \
+
+ //
+ // Create a 1-node replicaset and add two roles, inheriting the built-in read role on db1.
+ //
+ // read
+ // / \
// r1 r2
-//
-var rstest = new ReplSetTest({
- name: name,
- nodes: 1,
- nodeOptions: {}
-});
-
-rstest.startSet();
-rstest.initiate();
-
-m0 = rstest.nodes[0];
-
-m0.getDB("db1").createRole({
- role: "r1",
- roles: [ "read" ],
- privileges: [
- { resource: { db: "db1", collection: "system.users" }, actions: [ "find" ] }
- ]
-});
-
-m0.getDB("db1").createRole({
- role: "r2",
- roles: [ "read" ],
- privileges: [
- { resource: { db: "db1", collection: "log" }, actions: [ "insert" ] }
- ]
-});
-
-//
-// Add a second node to the set, and add a third role, dependent on the first two.
-//
-// read
-// / \
+ //
+ var rstest = new ReplSetTest({name: name, nodes: 1, nodeOptions: {}});
+
+ rstest.startSet();
+ rstest.initiate();
+
+ m0 = rstest.nodes[0];
+
+ m0.getDB("db1").createRole({
+ role: "r1",
+ roles: ["read"],
+ privileges: [{resource: {db: "db1", collection: "system.users"}, actions: ["find"]}]
+ });
+
+ m0.getDB("db1").createRole({
+ role: "r2",
+ roles: ["read"],
+ privileges: [{resource: {db: "db1", collection: "log"}, actions: ["insert"]}]
+ });
+
+ //
+ // Add a second node to the set, and add a third role, dependent on the first two.
+ //
+ // read
+ // / \
// r1 r2
-// \ /
-// r3
-//
-rstest.add();
-rstest.reInitiate();
-
-rstest.getPrimary().getDB("db1").createRole({
- role: "r3",
- roles: [ "r1", "r2" ],
- privileges: [
- { resource: { db: "db1", collection: "log" }, actions: [ "update" ] }
- ]
-}, { w: 2 });
-
-// Verify that both members of the set see the same role graph.
-rstest.nodes.forEach(function (node) {
- var role = node.getDB("db1").getRole("r3");
- assert.eq(2, role.roles.length, node);
- assertListContainsRole(role.roles, {role: "r1", db: "db1"}, node);
- assertListContainsRole(role.roles, {role: "r2", db: "db1"}, node);
- assert.eq(3, role.inheritedRoles.length, node);
- assertListContainsRole(role.inheritedRoles, {role: "r1", db: "db1"}, node);
- assertListContainsRole(role.inheritedRoles, {role: "r2", db: "db1"}, node);
- assertListContainsRole(role.inheritedRoles, {role: "read", db: "db1"}, node);
-});
-
-// Verify that updating roles propagates.
-rstest.getPrimary().getDB("db1").revokeRolesFromRole("r1", [ "read" ], { w: 2 });
-rstest.getPrimary().getDB("db1").grantRolesToRole("r1", [ "dbAdmin" ], { w: 2 });
-rstest.nodes.forEach(function (node) {
- var role = node.getDB("db1").getRole("r1");
- assert.eq(1, role.roles.length, node);
- assertListContainsRole(role.roles, { role: "dbAdmin", db: "db1" });
-});
-
-// Verify that dropping roles propagates.
-rstest.getPrimary().getDB("db1").dropRole("r2", { w: 2});
-rstest.nodes.forEach(function (node) {
- assert.eq(null, node.getDB("db1").getRole("r2"));
- var role = node.getDB("db1").getRole("r3");
- assert.eq(1, role.roles.length, node);
- assertListContainsRole(role.roles, {role: "r1", db: "db1"}, node);
- assert.eq(2, role.inheritedRoles.length, node);
- assertListContainsRole(role.inheritedRoles, {role: "r1", db: "db1"}, node);
- assertListContainsRole(role.inheritedRoles, {role: "dbAdmin", db: "db1"}, node);
-});
-
-// Verify that dropping the admin database propagates.
-assert.commandWorked(rstest.getPrimary().getDB("admin").dropDatabase());
-assert.commandWorked(rstest.getPrimary().getDB("admin").getLastErrorObj(2));
-rstest.nodes.forEach(function (node) {
- var roles = node.getDB("db1").getRoles();
- assert.eq(0, roles.length, node);
-});
-
-// Verify that applyOps commands propagate.
-// NOTE: This section of the test depends on the oplog and roles schemas.
-assert.commandWorked(rstest.getPrimary().getDB("admin").runCommand({ applyOps: [
- {
- op: "c",
- ns: "admin.$cmd",
- o: { create: "system.roles" }
- },
- {
- op: "i",
- ns: "admin.system.roles",
- o: {
- _id: "db1.s1",
- role: "s1",
- db: "db1",
- roles: [ { role: "read", db: "db1" } ],
- privileges: [ { resource: { db: "db1", collection: "system.users" },
- actions: [ "find" ] } ] }
- },
- {
- op: "i",
- ns: "admin.system.roles",
- o: {
- _id: "db1.s2",
- role: "s2",
- db: "db1",
- roles: [ { role: "read", db: "db1" } ],
- privileges: [ { resource: { db: "db1", collection: "log" },
- actions: [ "insert" ] } ] }
- },
- {
- op: "c",
- ns: "admin.$cmd",
- o: { dropDatabase: 1 }
- },
- {
- op: "c",
- ns: "admin.$cmd",
- o: { create: "system.roles" }
- },
- {
- op: "i",
- ns: "admin.system.roles",
- o: {
- _id: "db1.t1",
- role: "t1",
- db: "db1",
- roles: [ { role: "read", db: "db1" } ],
- privileges: [ { resource: { db: "db1", collection: "system.users" },
- actions: [ "find" ] } ] }
- },
- {
- op: "i",
- ns: "admin.system.roles",
- o: {
- _id: "db1.t2",
- role: "t2",
- db: "db1",
- roles: [ ],
- privileges: [ { resource: { db: "db1", collection: "log" },
- actions: [ "insert" ] } ] }
- },
- {
- op: "u",
- ns: "admin.system.roles",
- o: { $set: { roles: [ { role: "readWrite", db: "db1" } ] } },
- o2: { _id: "db1.t2" }
- }
-] }));
-
-assert.commandWorked(rstest.getPrimary().getDB("admin").getLastErrorObj(2));
-rstest.nodes.forEach(function (node) {
- var role = node.getDB("db1").getRole("t1");
- assert.eq(1, role.roles.length, node);
- assertListContainsRole(role.roles, {role: "read", db: "db1"}, node);
-
- var role = node.getDB("db1").getRole("t2");
- assert.eq(1, role.roles.length, node);
- assertListContainsRole(role.roles, {role: "readWrite", db: "db1"}, node);
-});
+ // \ /
+ // r3
+ //
+ rstest.add();
+ rstest.reInitiate();
+
+ rstest.getPrimary().getDB("db1").createRole(
+ {
+ role: "r3",
+ roles: ["r1", "r2"],
+ privileges: [{resource: {db: "db1", collection: "log"}, actions: ["update"]}]
+ },
+ {w: 2});
+
+ // Verify that both members of the set see the same role graph.
+ rstest.nodes.forEach(function(node) {
+ var role = node.getDB("db1").getRole("r3");
+ assert.eq(2, role.roles.length, node);
+ assertListContainsRole(role.roles, {role: "r1", db: "db1"}, node);
+ assertListContainsRole(role.roles, {role: "r2", db: "db1"}, node);
+ assert.eq(3, role.inheritedRoles.length, node);
+ assertListContainsRole(role.inheritedRoles, {role: "r1", db: "db1"}, node);
+ assertListContainsRole(role.inheritedRoles, {role: "r2", db: "db1"}, node);
+ assertListContainsRole(role.inheritedRoles, {role: "read", db: "db1"}, node);
+ });
+
+ // Verify that updating roles propagates.
+ rstest.getPrimary().getDB("db1").revokeRolesFromRole("r1", ["read"], {w: 2});
+ rstest.getPrimary().getDB("db1").grantRolesToRole("r1", ["dbAdmin"], {w: 2});
+ rstest.nodes.forEach(function(node) {
+ var role = node.getDB("db1").getRole("r1");
+ assert.eq(1, role.roles.length, node);
+ assertListContainsRole(role.roles, {role: "dbAdmin", db: "db1"});
+ });
+
+ // Verify that dropping roles propagates.
+ rstest.getPrimary().getDB("db1").dropRole("r2", {w: 2});
+ rstest.nodes.forEach(function(node) {
+ assert.eq(null, node.getDB("db1").getRole("r2"));
+ var role = node.getDB("db1").getRole("r3");
+ assert.eq(1, role.roles.length, node);
+ assertListContainsRole(role.roles, {role: "r1", db: "db1"}, node);
+ assert.eq(2, role.inheritedRoles.length, node);
+ assertListContainsRole(role.inheritedRoles, {role: "r1", db: "db1"}, node);
+ assertListContainsRole(role.inheritedRoles, {role: "dbAdmin", db: "db1"}, node);
+ });
+
+ // Verify that dropping the admin database propagates.
+ assert.commandWorked(rstest.getPrimary().getDB("admin").dropDatabase());
+ assert.commandWorked(rstest.getPrimary().getDB("admin").getLastErrorObj(2));
+ rstest.nodes.forEach(function(node) {
+ var roles = node.getDB("db1").getRoles();
+ assert.eq(0, roles.length, node);
+ });
+
+ // Verify that applyOps commands propagate.
+ // NOTE: This section of the test depends on the oplog and roles schemas.
+ assert.commandWorked(rstest.getPrimary().getDB("admin").runCommand({
+ applyOps: [
+ {op: "c", ns: "admin.$cmd", o: {create: "system.roles"}},
+ {
+ op: "i",
+ ns: "admin.system.roles",
+ o: {
+ _id: "db1.s1",
+ role: "s1",
+ db: "db1",
+ roles: [{role: "read", db: "db1"}],
+ privileges:
+ [{resource: {db: "db1", collection: "system.users"}, actions: ["find"]}]
+ }
+ },
+ {
+ op: "i",
+ ns: "admin.system.roles",
+ o: {
+ _id: "db1.s2",
+ role: "s2",
+ db: "db1",
+ roles: [{role: "read", db: "db1"}],
+ privileges: [{resource: {db: "db1", collection: "log"}, actions: ["insert"]}]
+ }
+ },
+ {op: "c", ns: "admin.$cmd", o: {dropDatabase: 1}},
+ {op: "c", ns: "admin.$cmd", o: {create: "system.roles"}},
+ {
+ op: "i",
+ ns: "admin.system.roles",
+ o: {
+ _id: "db1.t1",
+ role: "t1",
+ db: "db1",
+ roles: [{role: "read", db: "db1"}],
+ privileges:
+ [{resource: {db: "db1", collection: "system.users"}, actions: ["find"]}]
+ }
+ },
+ {
+ op: "i",
+ ns: "admin.system.roles",
+ o: {
+ _id: "db1.t2",
+ role: "t2",
+ db: "db1",
+ roles: [],
+ privileges: [{resource: {db: "db1", collection: "log"}, actions: ["insert"]}]
+ }
+ },
+ {
+ op: "u",
+ ns: "admin.system.roles",
+ o: {$set: {roles: [{role: "readWrite", db: "db1"}]}},
+ o2: {_id: "db1.t2"}
+ }
+ ]
+ }));
+
+ assert.commandWorked(rstest.getPrimary().getDB("admin").getLastErrorObj(2));
+ rstest.nodes.forEach(function(node) {
+ var role = node.getDB("db1").getRole("t1");
+ assert.eq(1, role.roles.length, node);
+ assertListContainsRole(role.roles, {role: "read", db: "db1"}, node);
+
+ var role = node.getDB("db1").getRole("t2");
+ assert.eq(1, role.roles.length, node);
+ assertListContainsRole(role.roles, {role: "readWrite", db: "db1"}, node);
+ });
}());
View Lorry Controller Status