summaryrefslogtreecommitdiff
path: root/src/mongo
diff options
context:
space:
mode:
Diffstat (limited to 'src/mongo')
-rw-r--r--src/mongo/client/examples/authTest.cpp9
-rw-r--r--src/mongo/db/auth/authorization_manager_test.cpp133
-rw-r--r--src/mongo/db/auth/authorization_session_test.cpp82
-rw-r--r--src/mongo/db/auth/authz_manager_external_state_mock.cpp2
-rw-r--r--src/mongo/shell/db.js3
-rw-r--r--src/mongo/shell/utils.js16
6 files changed, 147 insertions, 98 deletions
diff --git a/src/mongo/client/examples/authTest.cpp b/src/mongo/client/examples/authTest.cpp
index ed3f4049291..194590d027c 100644
--- a/src/mongo/client/examples/authTest.cpp
+++ b/src/mongo/client/examples/authTest.cpp
@@ -47,10 +47,15 @@ int main( int argc, const char **argv ) {
return EXIT_FAILURE;
}
+ BSONObj ret;
// clean up old data from any previous tests
- conn->remove( "test.system.users" , BSONObj() );
+ conn->runCommand( "test", BSON("removeUsersFromDatabase" << 1), ret );
- conn->insert( "test.system.users" , BSON( "user" << "eliot" << "pwd" << conn->createPasswordDigest( "eliot" , "bar" ) ) );
+ conn->runCommand( "test",
+ BSON( "createUser" << "eliot" <<
+ "pwd" << "bar" <<
+ "roles" << BSON_ARRAY("readWrite")),
+ ret);
errmsg.clear();
conn->auth(BSON("user" << "eliot" <<
diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp
index 858ca5c69e1..a053c9c7cc7 100644
--- a/src/mongo/db/auth/authorization_manager_test.cpp
+++ b/src/mongo/db/auth/authorization_manager_test.cpp
@@ -53,9 +53,9 @@ namespace {
AuthzManagerExternalStateMock* externalState;
};
- class PrivilegeDocumentParsing : public AuthorizationManagerTest {
+ class V1PrivilegeDocumentParsing : public AuthorizationManagerTest {
public:
- PrivilegeDocumentParsing() {}
+ V1PrivilegeDocumentParsing() {}
scoped_ptr<User> user;
scoped_ptr<User> adminUser;
@@ -64,10 +64,11 @@ namespace {
AuthorizationManagerTest::setUp();
user.reset(new User(UserName("spencer", "test")));
adminUser.reset(new User(UserName("admin", "admin")));
+ authzManager->setAuthorizationVersion(1);
}
};
- TEST_F(PrivilegeDocumentParsing, testParsingV0PrivilegeDocuments) {
+ TEST_F(V1PrivilegeDocumentParsing, testParsingV0PrivilegeDocuments) {
User user(UserName("Spencer", "test"));
User adminUser(UserName("Spencer", "admin"));
BSONObj invalid;
@@ -101,21 +102,21 @@ namespace {
ASSERT(adminUser.getActionsForResource("*").contains(ActionType::insert));
}
- TEST_F(PrivilegeDocumentParsing, VerifyRolesFieldMustBeAnArray) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyRolesFieldMustBeAnArray) {
ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" << "pwd" << "" << "roles" << "read")));
ASSERT(user->getActionsForResource("test").empty());
}
- TEST_F(PrivilegeDocumentParsing, VerifyInvalidRoleGrantsNoPrivileges) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyInvalidRoleGrantsNoPrivileges) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" << "pwd" << "" << "roles" << BSON_ARRAY("frim"))));
ASSERT(user->getActionsForResource("test").empty());
}
- TEST_F(PrivilegeDocumentParsing, VerifyInvalidRoleStillAllowsOtherRoles) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyInvalidRoleStillAllowsOtherRoles) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" <<
@@ -124,7 +125,7 @@ namespace {
ASSERT(user->getActionsForResource("test").contains(ActionType::find));
}
- TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterAdminRoleFromNonAdminDatabase) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterAdminRoleFromNonAdminDatabase) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" <<
@@ -135,7 +136,7 @@ namespace {
ASSERT(!user->getActionsForResource("test").contains(ActionType::dropDatabase));
}
- TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterReadFromNonAdminDatabase) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterReadFromNonAdminDatabase) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" <<
@@ -145,7 +146,7 @@ namespace {
ASSERT(!user->getActionsForResource("test2").contains(ActionType::find));
}
- TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterReadWriteFromNonAdminDatabase) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterReadWriteFromNonAdminDatabase) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" <<
@@ -156,7 +157,7 @@ namespace {
ASSERT(!user->getActionsForResource("test2").contains(ActionType::insert));
}
- TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterUserAdminFromNonAdminDatabase) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterUserAdminFromNonAdminDatabase) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" <<
@@ -167,7 +168,7 @@ namespace {
ASSERT(!user->getActionsForResource("test2").contains(ActionType::userAdmin));
}
- TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantClusterDBAdminFromNonAdminDatabase) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantClusterDBAdminFromNonAdminDatabase) {
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
BSON("user" << "spencer" <<
@@ -178,7 +179,7 @@ namespace {
ASSERT(!user->getActionsForResource("test2").contains(ActionType::clean));
}
- TEST_F(PrivilegeDocumentParsing, VerifyOtherDBRolesMustBeAnObjectOfArraysOfStrings) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyOtherDBRolesMustBeAnObjectOfArraysOfStrings) {
ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
BSON("user" << "admin" <<
@@ -200,7 +201,7 @@ namespace {
ASSERT(!adminUser->getActionsForResource("admin").contains(ActionType::find));
}
- TEST_F(PrivilegeDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormally) {
+ TEST_F(V1PrivilegeDocumentParsing, VerifyCannotGrantPrivilegesOnOtherDatabasesNormally) {
// Cannot grant privileges on other databases, except from admin database.
ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
@@ -213,7 +214,7 @@ namespace {
ASSERT(!user->getActionsForResource("admin").contains(ActionType::find));
}
- TEST_F(PrivilegeDocumentParsing, SuccessfulSimpleReadGrant) {
+ TEST_F(V1PrivilegeDocumentParsing, SuccessfulSimpleReadGrant) {
// Grant read on test.
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
@@ -225,7 +226,7 @@ namespace {
ASSERT(!user->getActionsForResource("admin").contains(ActionType::find));
}
- TEST_F(PrivilegeDocumentParsing, SuccessfulSimpleUserAdminTest) {
+ TEST_F(V1PrivilegeDocumentParsing, SuccessfulSimpleUserAdminTest) {
// Grant userAdmin on "test" database.
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
@@ -237,7 +238,7 @@ namespace {
ASSERT(!user->getActionsForResource("admin").contains(ActionType::userAdmin));
}
- TEST_F(PrivilegeDocumentParsing, GrantUserAdminOnAdmin) {
+ TEST_F(V1PrivilegeDocumentParsing, GrantUserAdminOnAdmin) {
// Grant userAdmin on admin.
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
@@ -249,7 +250,7 @@ namespace {
ASSERT(adminUser->getActionsForResource("admin").contains(ActionType::userAdmin));
}
- TEST_F(PrivilegeDocumentParsing, GrantUserAdminOnTestViaAdmin) {
+ TEST_F(V1PrivilegeDocumentParsing, GrantUserAdminOnTestViaAdmin) {
// Grant userAdmin on test via admin.
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
@@ -262,7 +263,7 @@ namespace {
ASSERT(!adminUser->getActionsForResource("admin").contains(ActionType::userAdmin));
}
- TEST_F(PrivilegeDocumentParsing, SuccessfulClusterAdminTest) {
+ TEST_F(V1PrivilegeDocumentParsing, SuccessfulClusterAdminTest) {
// Grant userAdminAnyDatabase.
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
@@ -273,7 +274,7 @@ namespace {
}
- TEST_F(PrivilegeDocumentParsing, GrantClusterReadWrite) {
+ TEST_F(V1PrivilegeDocumentParsing, GrantClusterReadWrite) {
// Grant readWrite on everything via the admin database.
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
@@ -284,7 +285,7 @@ namespace {
ASSERT(adminUser->getActionsForResource("*").contains(ActionType::insert));
}
- TEST_F(PrivilegeDocumentParsing, ProhibitGrantOnWildcard) {
+ TEST_F(V1PrivilegeDocumentParsing, ProhibitGrantOnWildcard) {
// Cannot grant readWrite to everything using "otherDBRoles".
ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
@@ -300,7 +301,7 @@ namespace {
ASSERT(!adminUser->getActionsForResource("admin").contains(ActionType::insert));
}
- TEST_F(PrivilegeDocumentParsing, GrantClusterAdmin) {
+ TEST_F(V1PrivilegeDocumentParsing, GrantClusterAdmin) {
// Grant cluster admin
ASSERT_OK(authzManager->_initializeUserFromPrivilegeDocument(
adminUser.get(),
@@ -312,7 +313,7 @@ namespace {
ASSERT(adminUser->getActionsForResource("*").contains(ActionType::moveChunk));
}
- TEST_F(PrivilegeDocumentParsing, GetPrivilegesFromPrivilegeDocumentInvalid) {
+ TEST_F(V1PrivilegeDocumentParsing, GetPrivilegesFromPrivilegeDocumentInvalid) {
// Try to mix fields from V0 and V1 privilege documents and make sure it fails.
ASSERT_NOT_OK(authzManager->_initializeUserFromPrivilegeDocument(
user.get(),
@@ -326,12 +327,14 @@ namespace {
TEST_F(AuthorizationManagerTest, testAquireV0User) {
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test",
- BSON("user" << "v0RW" << "pwd" << "password")));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "admin",
- BSON("user" << "v0AdminRO" << "pwd" << "password" << "readOnly" << true)));
+ authzManager->setAuthorizationVersion(1);
+
+ ASSERT_OK(externalState->insert(NamespaceString("test.system.users"),
+ BSON("user" << "v0RW" << "pwd" << "password")));
+ ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"),
+ BSON("user" << "v0AdminRO" <<
+ "pwd" << "password" <<
+ "readOnly" << true)));
User* v0RW;
ASSERT_OK(authzManager->acquireUser(UserName("v0RW", "test"), &v0RW));
@@ -376,16 +379,16 @@ namespace {
}
TEST_F(AuthorizationManagerTest, testAquireV1User) {
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test",
- BSON("user" << "v1read" <<
- "pwd" << "password" <<
- "roles" << BSON_ARRAY("read"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "admin",
- BSON("user" << "v1cluster" <<
- "pwd" << "password" <<
- "roles" << BSON_ARRAY("clusterAdmin"))));
+ authzManager->setAuthorizationVersion(1);
+
+ ASSERT_OK(externalState->insert(NamespaceString("test.system.users"),
+ BSON("user" << "v1read" <<
+ "pwd" << "password" <<
+ "roles" << BSON_ARRAY("read"))));
+ ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"),
+ BSON("user" << "v1cluster" <<
+ "pwd" << "password" <<
+ "roles" << BSON_ARRAY("clusterAdmin"))));
User* v1read;
ASSERT_OK(authzManager->acquireUser(UserName("v1read", "test"), &v1read));
@@ -428,26 +431,24 @@ namespace {
}
TEST_F(AuthorizationManagerTest, initializeAllV1UserData) {
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test",
- BSON("user" << "readOnly" <<
- "pwd" << "password" <<
- "roles" << BSON_ARRAY("read"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "admin",
- BSON("user" << "clusterAdmin" <<
- "userSource" << "$external" <<
- "roles" << BSON_ARRAY("clusterAdmin"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test",
- BSON("user" << "readWriteMultiDB" <<
- "pwd" << "password" <<
- "roles" << BSON_ARRAY("readWrite"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test2",
- BSON("user" << "readWriteMultiDB" <<
- "userSource" << "test" <<
- "roles" << BSON_ARRAY("readWrite"))));
+ authzManager->setAuthorizationVersion(1);
+
+ ASSERT_OK(externalState->insert(NamespaceString("test.system.users"),
+ BSON("user" << "readOnly" <<
+ "pwd" << "password" <<
+ "roles" << BSON_ARRAY("read"))));
+ ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"),
+ BSON("user" << "clusterAdmin" <<
+ "userSource" << "$external" <<
+ "roles" << BSON_ARRAY("clusterAdmin"))));
+ ASSERT_OK(externalState->insert(NamespaceString("test.system.users"),
+ BSON("user" << "readWriteMultiDB" <<
+ "pwd" << "password" <<
+ "roles" << BSON_ARRAY("readWrite"))));
+ ASSERT_OK(externalState->insert(NamespaceString("test2.system.users"),
+ BSON("user" << "readWriteMultiDB" <<
+ "userSource" << "test" <<
+ "roles" << BSON_ARRAY("readWrite"))));
Status status = authzManager->initialize();
ASSERT_OK(status);
@@ -612,23 +613,19 @@ namespace {
static const NamespaceString newUsersCollectioName;
void setUpV1UserData() {
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test",
+ ASSERT_OK(externalState->insert(NamespaceString("test.system.users"),
BSON("user" << "readOnly" <<
"pwd" << "password" <<
"roles" << BSON_ARRAY("read"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "admin",
+ ASSERT_OK(externalState->insert(NamespaceString("admin.system.users"),
BSON("user" << "clusterAdmin" <<
"userSource" << "$external" <<
"roles" << BSON_ARRAY("clusterAdmin"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test",
+ ASSERT_OK(externalState->insert(NamespaceString("test.system.users"),
BSON("user" << "readWriteMultiDB" <<
"pwd" << "password" <<
"roles" << BSON_ARRAY("readWrite"))));
- ASSERT_OK(externalState->insertPrivilegeDocument(
- "test2",
+ ASSERT_OK(externalState->insert(NamespaceString("test2.system.users"),
BSON("user" << "readWriteMultiDB" <<
"userSource" << "test" <<
"roles" << BSON_ARRAY("readWrite"))));
@@ -700,6 +697,7 @@ namespace {
const NamespaceString AuthzUpgradeTest::newUsersCollectioName("admin._newusers");
TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2Clean) {
+ authzManager->setAuthorizationVersion(1);
setUpV1UserData();
ASSERT_OK(authzManager->upgradeAuthCollections());
@@ -708,6 +706,7 @@ namespace {
}
TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2WithSysVerDoc) {
+ authzManager->setAuthorizationVersion(1);
setUpV1UserData();
ASSERT_OK(externalState->insert(versionCollectionName,
BSON("_id" << 1 << "currentVersion" << 1)));
@@ -718,6 +717,7 @@ namespace {
}
TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2FailsWithBadInitialVersionDoc) {
+ authzManager->setAuthorizationVersion(1);
setUpV1UserData();
ASSERT_OK(externalState->insert(versionCollectionName,
BSON("_id" << 1 << "currentVersion" << 3)));
@@ -730,6 +730,7 @@ namespace {
}
TEST_F(AuthzUpgradeTest, upgradeUserDataFromV1ToV2FailsWithVersionDocMispatch) {
+ authzManager->setAuthorizationVersion(1);
setUpV1UserData();
ASSERT_OK(externalState->insert(versionCollectionName,
BSON("_id" << 1 << "currentVersion" << 2)));
diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp
index 1a338bbd10e..5ca4ff21550 100644
--- a/src/mongo/db/auth/authorization_session_test.cpp
+++ b/src/mongo/db/auth/authorization_session_test.cpp
@@ -85,10 +85,18 @@ namespace {
authzSession->addAndAuthorizeUser(UserName("spencer", "test")));
// Add a user with readWrite and dbAdmin on the test DB
- ASSERT_OK(managerState->insertPrivilegeDocument("test",
- BSON("user" << "spencer" <<
- "pwd" << "a" <<
- "roles" << BSON_ARRAY("readWrite" << "dbAdmin"))));
+ ASSERT_OK(managerState->insertPrivilegeDocument("admin",
+ BSON("name" << "spencer" <<
+ "source" << "test" <<
+ "credentials" << BSON("MONGODB-CR" << "a") <<
+ "roles" << BSON_ARRAY(BSON("name" << "readWrite" <<
+ "source" << "test" <<
+ "hasRole" << true <<
+ "canDelegate" << false) <<
+ BSON("name" << "dbAdmin" <<
+ "source" << "test" <<
+ "hasRole" << true <<
+ "canDelegate" << false)))));
ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("spencer", "test")));
ASSERT_TRUE(authzSession->checkAuthorization("test", ActionType::insert));
@@ -99,9 +107,13 @@ namespace {
// Add an admin user with readWriteAnyDatabase
ASSERT_OK(managerState->insertPrivilegeDocument("admin",
- BSON("user" << "admin" <<
- "pwd" << "a" <<
- "roles" << BSON_ARRAY("readWriteAnyDatabase"))));
+ BSON("name" << "admin" <<
+ "source" << "admin" <<
+ "credentials" << BSON("MONGODB-CR" << "a") <<
+ "roles" << BSON_ARRAY(BSON("name" << "readWriteAnyDatabase" <<
+ "source" << "admin" <<
+ "hasRole" << true <<
+ "canDelegate" << false)))));
ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("admin", "admin")));
ASSERT_TRUE(authzSession->checkAuthorization("*", ActionType::insert));
@@ -123,10 +135,14 @@ namespace {
TEST_F(AuthorizationSessionTest, InvalidateUser) {
// Add a readWrite user
- ASSERT_OK(managerState->insertPrivilegeDocument("test",
- BSON("user" << "spencer" <<
- "pwd" << "a" <<
- "roles" << BSON_ARRAY("readWrite"))));
+ ASSERT_OK(managerState->insertPrivilegeDocument("admin",
+ BSON("name" << "spencer" <<
+ "source" << "test" <<
+ "credentials" << BSON("MONGODB-CR" << "a") <<
+ "roles" << BSON_ARRAY(BSON("name" << "readWrite" <<
+ "source" << "test" <<
+ "hasRole" << true <<
+ "canDelegate" << false)))));
ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("spencer", "test")));
ASSERT_TRUE(authzSession->checkAuthorization("test", ActionType::find));
@@ -137,10 +153,14 @@ namespace {
// Change the user to be read-only
managerState->clearPrivilegeDocuments();
- ASSERT_OK(managerState->insertPrivilegeDocument("test",
- BSON("user" << "spencer" <<
- "pwd" << "a" <<
- "roles" << BSON_ARRAY("read"))));
+ ASSERT_OK(managerState->insertPrivilegeDocument("admin",
+ BSON("name" << "spencer" <<
+ "source" << "test" <<
+ "credentials" << BSON("MONGODB-CR" << "a") <<
+ "roles" << BSON_ARRAY(BSON("name" << "read" <<
+ "source" << "test" <<
+ "hasRole" << true <<
+ "canDelegate" << false)))));
// Make sure that invalidating the user causes the session to reload its privileges.
authzManager->invalidateUser(user);
@@ -161,10 +181,14 @@ namespace {
TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) {
// Add a readWrite user
- ASSERT_OK(managerState->insertPrivilegeDocument("test",
- BSON("user" << "spencer" <<
- "pwd" << "a" <<
- "roles" << BSON_ARRAY("readWrite"))));
+ ASSERT_OK(managerState->insertPrivilegeDocument("admin",
+ BSON("name" << "spencer" <<
+ "source" << "test" <<
+ "credentials" << BSON("MONGODB-CR" << "a") <<
+ "roles" << BSON_ARRAY(BSON("name" << "readWrite" <<
+ "source" << "test" <<
+ "hasRole" << true <<
+ "canDelegate" << false)))));
ASSERT_OK(authzSession->addAndAuthorizeUser(UserName("spencer", "test")));
ASSERT_TRUE(authzSession->checkAuthorization("test", ActionType::find));
@@ -176,10 +200,14 @@ namespace {
// Change the user to be read-only
managerState->setFindsShouldFail(true);
managerState->clearPrivilegeDocuments();
- ASSERT_OK(managerState->insertPrivilegeDocument("test",
- BSON("user" << "spencer" <<
- "pwd" << "a" <<
- "roles" << BSON_ARRAY("read"))));
+ ASSERT_OK(managerState->insertPrivilegeDocument("admin",
+ BSON("name" << "spencer" <<
+ "source" << "test" <<
+ "credentials" << BSON("MONGODB-CR" << "a") <<
+ "roles" << BSON_ARRAY(BSON("name" << "read" <<
+ "source" << "test" <<
+ "hasRole" << true <<
+ "canDelegate" << false)))));
// Even though the user's privileges have been reduced, since we've configured user
// document lookup to fail, the authz session should continue to use its known out-of-date
@@ -191,15 +219,17 @@ namespace {
TEST_F(AuthorizationSessionTest, ImplicitAcquireFromSomeDatabasesWithV1Users) {
- managerState->insertPrivilegeDocument("test",
+ authzManager->setAuthorizationVersion(1);
+
+ managerState->insert(NamespaceString("test.system.users"),
BSON("user" << "andy" <<
"pwd" << "a" <<
"roles" << BSON_ARRAY("readWrite")));
- managerState->insertPrivilegeDocument("test2",
+ managerState->insert(NamespaceString("test2.system.users"),
BSON("user" << "andy" <<
"userSource" << "test" <<
"roles" << BSON_ARRAY("read")));
- managerState->insertPrivilegeDocument("admin",
+ managerState->insert(NamespaceString("admin.system.users"),
BSON("user" << "andy" <<
"userSource" << "test" <<
"roles" << BSON_ARRAY("clusterAdmin") <<
diff --git a/src/mongo/db/auth/authz_manager_external_state_mock.cpp b/src/mongo/db/auth/authz_manager_external_state_mock.cpp
index 82afca81614..e5fbbbc4853 100644
--- a/src/mongo/db/auth/authz_manager_external_state_mock.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_mock.cpp
@@ -43,7 +43,7 @@ namespace mongo {
Status AuthzManagerExternalStateMock::insertPrivilegeDocument(const std::string& dbname,
const BSONObj& userObj) {
- NamespaceString usersCollection(dbname + ".system.users");
+ NamespaceString usersCollection("admin.system.users");
return insert(usersCollection, userObj);
}
diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js
index 0622e50b445..8b54e9f2430 100644
--- a/src/mongo/shell/db.js
+++ b/src/mongo/shell/db.js
@@ -283,7 +283,8 @@ DB.prototype.removeUser = function( username ){
return true;
}
- if (res.errmsg.startsWith("No users found on database")) {
+ var notFoundErrmsg = "User '" + username + "@" + this.getName() + "' not found";
+ if (res.errmsg == notFoundErrmsg) {
return false;
}
diff --git a/src/mongo/shell/utils.js b/src/mongo/shell/utils.js
index df35d9b0cab..76a2d3c8a14 100644
--- a/src/mongo/shell/utils.js
+++ b/src/mongo/shell/utils.js
@@ -205,6 +205,8 @@ if ( typeof _threadInject != "undefined" ){
"jstests/extent.js",
"jstests/indexb.js",
"jstests/profile1.js",
+ "jstests/profile3.js",
+ "jstests/profile4.js",
"jstests/mr3.js",
"jstests/indexh.js",
"jstests/apitest_db.js",
@@ -229,7 +231,11 @@ if ( typeof _threadInject != "undefined" ){
] );
// some tests can't be run in parallel with each other
- var serialTestsArr = [ "jstests/fsync.js"
+ var serialTestsArr = [ "jstests/fsync.js",
+ "jstests/auth1.js",
+ "jstests/auth_copydb2.js",
+ "jstests/connection_status.js",
+ "jstests/validate_user_documents.js"
// ,"jstests/fsync2.js" // SERVER-4243
];
var serialTests = makeKeys( serialTestsArr );
@@ -396,6 +402,12 @@ jsTest.path = jsTestPath
jsTest.options = jsTestOptions
jsTest.setOption = setJsTestOption
jsTest.log = jsTestLog
+jsTest.readOnlyUserRoles = ["read"]
+jsTest.basicUserRoles = ["readWrite", "dbAdmin", "userAdmin"]
+jsTest.adminUserRoles = ["clusterAdmin",
+ "userAdminAnyDatabase",
+ "dbAdminAnyDatabase",
+ "readWriteAnyDatabase"]
jsTest.dir = function(){
return jsTest.path().replace( /\/[^\/]+$/, "/" )
@@ -424,7 +436,7 @@ jsTest.addAuth = function(conn) {
}
print ("Adding admin user on connection: " + localconn);
return localconn.getDB('admin').addUser(jsTestOptions().adminUser, jsTestOptions().adminPassword,
- false, 'majority', 60000);
+ jsTest.adminUserRoles, 'majority', 60000);
}
jsTest.authenticate = function(conn) {
View Lorry Controller Status