diff options
Diffstat (limited to 'jstests/sharding/localhostAuthBypass.js')
-rw-r--r-- | jstests/sharding/localhostAuthBypass.js | 447 |
1 files changed, 221 insertions, 226 deletions
diff --git a/jstests/sharding/localhostAuthBypass.js b/jstests/sharding/localhostAuthBypass.js index 996fb949175..55b7548d6db 100644 --- a/jstests/sharding/localhostAuthBypass.js +++ b/jstests/sharding/localhostAuthBypass.js @@ -9,142 +9,67 @@ TestData.skipCheckingUUIDsConsistentAcrossCluster = true; (function() { - 'use strict'; - - var replSetName = "replsets_server-6591"; - var keyfile = "jstests/libs/key1"; - var numShards = 2; - var username = "foo"; - var password = "bar"; - - var createUser = function(mongo) { - print("============ adding a user."); - mongo.getDB("admin").createUser( - {user: username, pwd: password, roles: jsTest.adminUserRoles}); - }; - - var addUsersToEachShard = function(st) { - for (var i = 0; i < numShards; i++) { - print("============ adding a user to shard " + i); - var d = st["shard" + i]; - d.getDB("admin").createUser( - {user: username, pwd: password, roles: jsTest.adminUserRoles}); +'use strict'; + +var replSetName = "replsets_server-6591"; +var keyfile = "jstests/libs/key1"; +var numShards = 2; +var username = "foo"; +var password = "bar"; + +var createUser = function(mongo) { + print("============ adding a user."); + mongo.getDB("admin").createUser({user: username, pwd: password, roles: jsTest.adminUserRoles}); +}; + +var addUsersToEachShard = function(st) { + for (var i = 0; i < numShards; i++) { + print("============ adding a user to shard " + i); + var d = st["shard" + i]; + d.getDB("admin").createUser({user: username, pwd: password, roles: jsTest.adminUserRoles}); + } +}; + +var addShard = function(st, shouldPass) { + var m = MongoRunner.runMongod({auth: "", keyFile: keyfile, useHostname: false, 'shardsvr': ''}); + var res = st.getDB("admin").runCommand({addShard: m.host}); + if (shouldPass) { + assert.commandWorked(res, "Add shard"); + } else { + assert.commandFailed(res, "Add shard"); + } + return m; +}; + +var findEmptyShard = function(st, ns) { + var counts = st.chunkCounts("foo"); + + for (var shard in counts) { + if (counts[shard] == 0) { + return shard; } - }; - - var addShard = function(st, shouldPass) { - var m = - MongoRunner.runMongod({auth: "", keyFile: keyfile, useHostname: false, 'shardsvr': ''}); - var res = st.getDB("admin").runCommand({addShard: m.host}); - if (shouldPass) { - assert.commandWorked(res, "Add shard"); - } else { - assert.commandFailed(res, "Add shard"); - } - return m; - }; + } - var findEmptyShard = function(st, ns) { - var counts = st.chunkCounts("foo"); + return null; +}; - for (var shard in counts) { - if (counts[shard] == 0) { - return shard; - } - } +var assertCannotRunCommands = function(mongo, st) { + print("============ ensuring that commands cannot be run."); - return null; - }; - - var assertCannotRunCommands = function(mongo, st) { - print("============ ensuring that commands cannot be run."); - - // CRUD - var test = mongo.getDB("test"); - assert.throws(function() { - test.system.users.findOne(); - }); - assert.writeError(test.foo.save({_id: 0})); - assert.throws(function() { - test.foo.findOne({_id: 0}); - }); - assert.writeError(test.foo.update({_id: 0}, {$set: {x: 20}})); - assert.writeError(test.foo.remove({_id: 0})); - - // Multi-shard - assert.throws(function() { - test.foo.mapReduce( - function() { - emit(1, 1); - }, - function(id, count) { - return Array.sum(count); - }, - {out: "other"}); - }); - - // Config - assert.throws(function() { - mongo.getDB("config").shards.findOne(); - }); - - var authorizeErrorCode = 13; - var res = mongo.getDB("admin").runCommand({ - moveChunk: "test.foo", - find: {_id: 1}, - to: st.shard0.shardName // Arbitrary shard. - }); - assert.commandFailedWithCode(res, authorizeErrorCode, "moveChunk"); - // Create collection - assert.commandFailedWithCode( - mongo.getDB("test").createCollection("log", {capped: true, size: 5242880, max: 5000}), - authorizeErrorCode, - "createCollection"); - // Set/Get system parameters - var params = [ - {param: "journalCommitInterval", val: 200}, - {param: "logLevel", val: 2}, - {param: "logUserIds", val: 1}, - {param: "notablescan", val: 1}, - {param: "quiet", val: 1}, - {param: "replApplyBatchSize", val: 10}, - {param: "replIndexPrefetch", val: "none"}, - {param: "syncdelay", val: 30}, - {param: "traceExceptions", val: true}, - {param: "sslMode", val: "preferSSL"}, - {param: "clusterAuthMode", val: "sendX509"}, - {param: "userCacheInvalidationIntervalSecs", val: 300} - ]; - params.forEach(function(p) { - var cmd = {setParameter: 1}; - cmd[p.param] = p.val; - assert.commandFailedWithCode(mongo.getDB("admin").runCommand(cmd), - authorizeErrorCode, - "setParameter: " + p.param); - }); - params.forEach(function(p) { - var cmd = {getParameter: 1}; - cmd[p.param] = 1; - assert.commandFailedWithCode(mongo.getDB("admin").runCommand(cmd), - authorizeErrorCode, - "getParameter: " + p.param); - }); - }; - - var assertCanRunCommands = function(mongo, st) { - print("============ ensuring that commands can be run."); - - // CRUD - var test = mongo.getDB("test"); - - // this will throw if it fails + // CRUD + var test = mongo.getDB("test"); + assert.throws(function() { test.system.users.findOne(); + }); + assert.writeError(test.foo.save({_id: 0})); + assert.throws(function() { + test.foo.findOne({_id: 0}); + }); + assert.writeError(test.foo.update({_id: 0}, {$set: {x: 20}})); + assert.writeError(test.foo.remove({_id: 0})); - assert.writeOK(test.foo.save({_id: 0})); - assert.writeOK(test.foo.update({_id: 0}, {$set: {x: 20}})); - assert.writeOK(test.foo.remove({_id: 0})); - - // Multi-shard + // Multi-shard + assert.throws(function() { test.foo.mapReduce( function() { emit(1, 1); @@ -153,122 +78,192 @@ TestData.skipCheckingUUIDsConsistentAcrossCluster = true; return Array.sum(count); }, {out: "other"}); + }); - // Config - // this will throw if it fails + // Config + assert.throws(function() { mongo.getDB("config").shards.findOne(); + }); - var to = findEmptyShard(st, "test.foo"); - var res = mongo.getDB("admin").runCommand({moveChunk: "test.foo", find: {_id: 1}, to: to}); - assert.commandWorked(res); - }; - - var authenticate = function(mongo) { - print("============ authenticating user."); - mongo.getDB("admin").auth(username, password); - }; + var authorizeErrorCode = 13; + var res = mongo.getDB("admin").runCommand({ + moveChunk: "test.foo", + find: {_id: 1}, + to: st.shard0.shardName // Arbitrary shard. + }); + assert.commandFailedWithCode(res, authorizeErrorCode, "moveChunk"); + // Create collection + assert.commandFailedWithCode( + mongo.getDB("test").createCollection("log", {capped: true, size: 5242880, max: 5000}), + authorizeErrorCode, + "createCollection"); + // Set/Get system parameters + var params = [ + {param: "journalCommitInterval", val: 200}, + {param: "logLevel", val: 2}, + {param: "logUserIds", val: 1}, + {param: "notablescan", val: 1}, + {param: "quiet", val: 1}, + {param: "replApplyBatchSize", val: 10}, + {param: "replIndexPrefetch", val: "none"}, + {param: "syncdelay", val: 30}, + {param: "traceExceptions", val: true}, + {param: "sslMode", val: "preferSSL"}, + {param: "clusterAuthMode", val: "sendX509"}, + {param: "userCacheInvalidationIntervalSecs", val: 300} + ]; + params.forEach(function(p) { + var cmd = {setParameter: 1}; + cmd[p.param] = p.val; + assert.commandFailedWithCode( + mongo.getDB("admin").runCommand(cmd), authorizeErrorCode, "setParameter: " + p.param); + }); + params.forEach(function(p) { + var cmd = {getParameter: 1}; + cmd[p.param] = 1; + assert.commandFailedWithCode( + mongo.getDB("admin").runCommand(cmd), authorizeErrorCode, "getParameter: " + p.param); + }); +}; + +var assertCanRunCommands = function(mongo, st) { + print("============ ensuring that commands can be run."); + + // CRUD + var test = mongo.getDB("test"); + + // this will throw if it fails + test.system.users.findOne(); + + assert.writeOK(test.foo.save({_id: 0})); + assert.writeOK(test.foo.update({_id: 0}, {$set: {x: 20}})); + assert.writeOK(test.foo.remove({_id: 0})); + + // Multi-shard + test.foo.mapReduce( + function() { + emit(1, 1); + }, + function(id, count) { + return Array.sum(count); + }, + {out: "other"}); + + // Config + // this will throw if it fails + mongo.getDB("config").shards.findOne(); + + var to = findEmptyShard(st, "test.foo"); + var res = mongo.getDB("admin").runCommand({moveChunk: "test.foo", find: {_id: 1}, to: to}); + assert.commandWorked(res); +}; + +var authenticate = function(mongo) { + print("============ authenticating user."); + mongo.getDB("admin").auth(username, password); +}; + +var setupSharding = function(shardingTest) { + var mongo = shardingTest.s; + + print("============ enabling sharding on test.foo."); + mongo.getDB("admin").runCommand({enableSharding: "test"}); + shardingTest.ensurePrimaryShard('test', st.shard1.shardName); + mongo.getDB("admin").runCommand({shardCollection: "test.foo", key: {_id: 1}}); + + var test = mongo.getDB("test"); + for (var i = 1; i < 20; i++) { + test.foo.insert({_id: i}); + } +}; + +var start = function() { + // TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed. + return new ShardingTest({ + auth: "", + shards: numShards, + other: { + keyFile: keyfile, + chunkSize: 1, + useHostname: + false, // Must use localhost to take advantage of the localhost auth bypass + shardAsReplicaSet: false + } + }); +}; - var setupSharding = function(shardingTest) { - var mongo = shardingTest.s; +var shutdown = function(st) { + print("============ shutting down."); - print("============ enabling sharding on test.foo."); - mongo.getDB("admin").runCommand({enableSharding: "test"}); - shardingTest.ensurePrimaryShard('test', st.shard1.shardName); - mongo.getDB("admin").runCommand({shardCollection: "test.foo", key: {_id: 1}}); + // SERVER-8445 + // Unlike MongoRunner.stopMongod and ReplSetTest.stopSet, + // ShardingTest.stop does not have a way to provide auth + // information. Therefore, we'll do this manually for now. - var test = mongo.getDB("test"); - for (var i = 1; i < 20; i++) { - test.foo.insert({_id: i}); - } - }; - - var start = function() { - // TODO: Remove 'shardAsReplicaSet: false' when SERVER-32672 is fixed. - return new ShardingTest({ - auth: "", - shards: numShards, - other: { - keyFile: keyfile, - chunkSize: 1, - useHostname: - false, // Must use localhost to take advantage of the localhost auth bypass - shardAsReplicaSet: false - } - }); - }; - - var shutdown = function(st) { - print("============ shutting down."); - - // SERVER-8445 - // Unlike MongoRunner.stopMongod and ReplSetTest.stopSet, - // ShardingTest.stop does not have a way to provide auth - // information. Therefore, we'll do this manually for now. - - for (var i = 0; i < st._mongos.length; i++) { - var conn = st["s" + i]; - MongoRunner.stopMongos(conn, - /*signal*/ false, - {auth: {user: username, pwd: password}}); - } + for (var i = 0; i < st._mongos.length; i++) { + var conn = st["s" + i]; + MongoRunner.stopMongos(conn, + /*signal*/ false, + {auth: {user: username, pwd: password}}); + } - for (var i = 0; i < st._connections.length; i++) { - var conn = st["shard" + i]; - MongoRunner.stopMongod(conn, - /*signal*/ false, - {auth: {user: username, pwd: password}}); - } + for (var i = 0; i < st._connections.length; i++) { + var conn = st["shard" + i]; + MongoRunner.stopMongod(conn, + /*signal*/ false, + {auth: {user: username, pwd: password}}); + } - for (var i = 0; i < st._configServers.length; i++) { - var conn = st["config" + i]; - MongoRunner.stopMongod(conn, - /*signal*/ false, - {auth: {user: username, pwd: password}}); - } + for (var i = 0; i < st._configServers.length; i++) { + var conn = st["config" + i]; + MongoRunner.stopMongod(conn, + /*signal*/ false, + {auth: {user: username, pwd: password}}); + } - st.stop(); - }; + st.stop(); +}; - print("====================="); - print("starting shards"); - print("====================="); - var st = start(); - var host = st.s.host; - var extraShards = []; +print("====================="); +print("starting shards"); +print("====================="); +var st = start(); +var host = st.s.host; +var extraShards = []; - var mongo = new Mongo(host); +var mongo = new Mongo(host); - assertCannotRunCommands(mongo, st); +assertCannotRunCommands(mongo, st); - extraShards.push(addShard(st, 1)); - createUser(mongo); +extraShards.push(addShard(st, 1)); +createUser(mongo); - authenticate(mongo); - authenticate(st.s); - setupSharding(st); +authenticate(mongo); +authenticate(st.s); +setupSharding(st); - addUsersToEachShard(st); - st.printShardingStatus(); +addUsersToEachShard(st); +st.printShardingStatus(); - assertCanRunCommands(mongo, st); +assertCanRunCommands(mongo, st); - print("==============================="); - print("reconnecting with a new client."); - print("==============================="); +print("==============================="); +print("reconnecting with a new client."); +print("==============================="); - mongo = new Mongo(host); +mongo = new Mongo(host); - assertCannotRunCommands(mongo, st); - extraShards.push(addShard(mongo, 0)); +assertCannotRunCommands(mongo, st); +extraShards.push(addShard(mongo, 0)); - authenticate(mongo); +authenticate(mongo); - assertCanRunCommands(mongo, st); - extraShards.push(addShard(mongo, 1)); - st.printShardingStatus(); +assertCanRunCommands(mongo, st); +extraShards.push(addShard(mongo, 1)); +st.printShardingStatus(); - shutdown(st); - extraShards.forEach(function(sh) { - MongoRunner.stopMongod(sh); - }); +shutdown(st); +extraShards.forEach(function(sh) { + MongoRunner.stopMongod(sh); +}); })(); |