From 3b3961b638da17d54875b5cab45a01238168b0a3 Mon Sep 17 00:00:00 2001 From: Sophia Tan Date: Mon, 21 Nov 2022 16:26:11 +0000 Subject: SERVER-70975 Exclude commands which are not allowed with security token from NTDI core passthrough (Part 2) --- jstests/core/convert_to_capped.js | 2 ++ jstests/core/convert_to_capped_nonexistant.js | 3 +++ jstests/core/count10.js | 2 ++ jstests/core/count_plan_summary.js | 2 ++ jstests/core/create_collection_fail_cleanup.js | 4 +++- jstests/core/currentop.js | 2 ++ jstests/core/currentop_shell.js | 2 ++ jstests/core/currentop_waiting_for_latch.js | 8 +++++++- jstests/core/datasize2.js | 4 +++- jstests/core/datasize_validation.js | 4 +++- jstests/core/dbhash.js | 2 ++ jstests/core/dbhash2.js | 2 ++ jstests/core/diagdata.js | 3 +++ jstests/core/disallow_query_wrapped_cmd_format.js | 2 ++ jstests/core/doc_validation_invalid_validators.js | 2 ++ jstests/core/drop_collection.js | 3 ++- jstests/core/explain_find_and_modify.js | 2 ++ jstests/core/expr.js | 2 ++ jstests/core/failcommand_failpoint.js | 2 ++ jstests/core/fsync.js | 2 ++ jstests/core/function_string_representations.js | 2 ++ jstests/core/geo_big_polygon3.js | 2 ++ jstests/core/geo_s2cursorlimitskip.js | 2 ++ jstests/core/geo_update_btree2.js | 2 ++ jstests/core/getlog1.js | 4 +++- jstests/core/getlog2.js | 2 ++ jstests/core/getmore_invalidated_cursors.js | 2 ++ jstests/core/hash.js | 2 ++ jstests/core/hostinfo.js | 2 ++ jstests/core/illegal_cmd_namespace.js | 2 ++ jstests/core/index8.js | 2 ++ jstests/core/index_filter_catalog_independent.js | 3 +++ jstests/core/index_filter_collation.js | 3 +++ jstests/core/index_filter_commands.js | 3 +++ .../core/index_filter_commands_invalidate_plan_cache_entries.js | 3 +++ jstests/core/index_filter_on_hidden_index.js | 3 +++ jstests/core/index_stats.js | 2 ++ jstests/core/js_object_properties.js | 2 ++ 38 files changed, 92 insertions(+), 6 deletions(-) (limited to 'jstests/core') diff --git a/jstests/core/convert_to_capped.js b/jstests/core/convert_to_capped.js index 73694bc52d0..704e0ef0915 100644 --- a/jstests/core/convert_to_capped.js +++ b/jstests/core/convert_to_capped.js @@ -1,7 +1,9 @@ /** * Test the convertToCapped cmd. * + * The test runs commands that are not allowed with security token: convertToCapped. * @tags: [ + * not_allowed_with_security_token, * requires_non_retryable_commands, * requires_capped, * ] diff --git a/jstests/core/convert_to_capped_nonexistant.js b/jstests/core/convert_to_capped_nonexistant.js index aa584ec31a7..96844261224 100644 --- a/jstests/core/convert_to_capped_nonexistant.js +++ b/jstests/core/convert_to_capped_nonexistant.js @@ -2,7 +2,10 @@ * This test ensures that ConvertToCapped()ing a nonexistent collection will not cause the server to * abort (SERVER-13750) * + * The test runs commands that are not allowed with security token: ConvertToCapped, + * convertToCapped. * @tags: [ + * not_allowed_with_security_token, * requires_non_retryable_commands, * * # capped collections is not available on embedded diff --git a/jstests/core/count10.js b/jstests/core/count10.js index c981e45a9b8..7f5e2957abe 100644 --- a/jstests/core/count10.js +++ b/jstests/core/count10.js @@ -1,6 +1,8 @@ // Test that interrupting a count returns an error code. // +// The test runs commands that are not allowed with security token: killOp. // @tags: [ +// not_allowed_with_security_token, // # This test attempts to perform a count command and find it using the currentOp command. The // # former operation may be routed to a secondary in the replica set, whereas the latter must be // # routed to the primary. diff --git a/jstests/core/count_plan_summary.js b/jstests/core/count_plan_summary.js index f38e6f00a11..9db379a1a0a 100644 --- a/jstests/core/count_plan_summary.js +++ b/jstests/core/count_plan_summary.js @@ -1,6 +1,8 @@ // Test that the plan summary string appears in db.currentOp() for count operations. SERVER-14064. // +// The test runs commands that are not allowed with security token: killOp. // @tags: [ +// not_allowed_with_security_token, // # This test attempts to perform a find command and find it using the currentOp command. The // # former operation may be routed to a secondary in the replica set, whereas the latter must be // # routed to the primary. diff --git a/jstests/core/create_collection_fail_cleanup.js b/jstests/core/create_collection_fail_cleanup.js index 90d636dbd3a..8e39ddf5379 100644 --- a/jstests/core/create_collection_fail_cleanup.js +++ b/jstests/core/create_collection_fail_cleanup.js @@ -1,6 +1,8 @@ // Test that the server cleans up correctly when creating a collection fails. // -// @tags: [requires_capped] +// The test runs commands that are not allowed with security token: top. +// @tags: [ +// not_allowed_with_security_token,requires_capped] (function() { "use strict"; diff --git a/jstests/core/currentop.js b/jstests/core/currentop.js index 41c2e36110f..a59cd53065a 100644 --- a/jstests/core/currentop.js +++ b/jstests/core/currentop.js @@ -1,7 +1,9 @@ /** * Tests that long-running operations show up in currentOp and report the locks they are holding. * + * The test runs commands that are not allowed with security token: fsyncUnlock. * @tags: [ + * not_allowed_with_security_token, * assumes_superuser_permissions, * # fsync command is not available on embedded * incompatible_with_embedded, diff --git a/jstests/core/currentop_shell.js b/jstests/core/currentop_shell.js index c96ef2507f1..365e1ab3344 100644 --- a/jstests/core/currentop_shell.js +++ b/jstests/core/currentop_shell.js @@ -2,7 +2,9 @@ * Tests that the shell helper db.currentOpCursor isn't constrained by the legacy currentOp server * command - ie. the result set isn't limited to 16MB and long operations aren't truncated. * + * The test runs commands that are not allowed with security token: getLog, killOp. * @tags: [ + * not_allowed_with_security_token, * uses_parallel_shell, * # This test uses currentOp to check whether an aggregate command is running. In replica set * # environments, because currentOp is run against the admin database it is routed to the diff --git a/jstests/core/currentop_waiting_for_latch.js b/jstests/core/currentop_waiting_for_latch.js index c8a18d57d84..b02f219fe02 100644 --- a/jstests/core/currentop_waiting_for_latch.js +++ b/jstests/core/currentop_waiting_for_latch.js @@ -2,7 +2,13 @@ * Tests that a backtrace will appear in the $currentOp output if the backtrace option is * set to true and there is a latch timeout. * - * @tags: [assumes_read_concern_unchanged, assumes_read_preference_unchanged, no_selinux] + * The test runs commands that are not allowed with security token: whatsmyuri. + * @tags: [ + * not_allowed_with_security_token, + * assumes_read_concern_unchanged, + * assumes_read_preference_unchanged, + * no_selinux + * ] */ (function() { "use strict"; diff --git a/jstests/core/datasize2.js b/jstests/core/datasize2.js index a9d008e2ed1..08be0bfe12c 100644 --- a/jstests/core/datasize2.js +++ b/jstests/core/datasize2.js @@ -1,6 +1,8 @@ // Cannot implicitly shard accessed collections because the "dataSize" command returns an // "keyPattern must equal shard key" error response. -// @tags: [assumes_unsharded_collection, no_selinux] +// The test runs commands that are not allowed with security token: dataSize. +// @tags: [ +// not_allowed_with_security_token,assumes_unsharded_collection, no_selinux] // // Test dataSize command, when called on the same or different database // than the collection being queried. diff --git a/jstests/core/datasize_validation.js b/jstests/core/datasize_validation.js index f4e55106166..e7d62c4287b 100644 --- a/jstests/core/datasize_validation.js +++ b/jstests/core/datasize_validation.js @@ -1,6 +1,8 @@ // Cannot implicitly shard accessed collections because the "dataSize" command returns an // "keyPattern must equal shard key" error response. -// @tags: [assumes_unsharded_collection, requires_fcv_53] +// The test runs commands that are not allowed with security token: dataSize. +// @tags: [ +// not_allowed_with_security_token,assumes_unsharded_collection, requires_fcv_53] // // Test argument validation for dataSize command diff --git a/jstests/core/dbhash.js b/jstests/core/dbhash.js index 47143e7d9b4..09de8326056 100644 --- a/jstests/core/dbhash.js +++ b/jstests/core/dbhash.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: dbhash. // @tags: [ +// not_allowed_with_security_token, // # dbhash command is not available on embedded // incompatible_with_embedded, // ] diff --git a/jstests/core/dbhash2.js b/jstests/core/dbhash2.js index f62025b382e..4842d209515 100644 --- a/jstests/core/dbhash2.js +++ b/jstests/core/dbhash2.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: dbhash. // @tags: [ +// not_allowed_with_security_token, // assumes_superuser_permissions, // # dbhash command is not available on embedded // incompatible_with_embedded, diff --git a/jstests/core/diagdata.js b/jstests/core/diagdata.js index 15b47b591f4..6e76f193288 100644 --- a/jstests/core/diagdata.js +++ b/jstests/core/diagdata.js @@ -1,7 +1,10 @@ /* * Test that verifies getDiagnosticData returns FTDC data * + * The test runs commands that are not allowed with security token: getDiagnosticData, + * getDiagnosticData. * @tags: [ + * not_allowed_with_security_token, * # getDiagnosticData command is not available on embedded * incompatible_with_embedded, * # getDiagnosticData is not supported on mongos diff --git a/jstests/core/disallow_query_wrapped_cmd_format.js b/jstests/core/disallow_query_wrapped_cmd_format.js index 5da96528fa9..c98db1dd8f6 100644 --- a/jstests/core/disallow_query_wrapped_cmd_format.js +++ b/jstests/core/disallow_query_wrapped_cmd_format.js @@ -1,8 +1,10 @@ /** * Test that the "wrapped" command format using {$query: } fails cleanly. * + * The test runs commands that are not allowed with security token: query. * @tags: [ * requires_fcv_63, + * not_allowed_with_security_token, * ] */ (function() { diff --git a/jstests/core/doc_validation_invalid_validators.js b/jstests/core/doc_validation_invalid_validators.js index b816100b0a2..3bb7d41f926 100644 --- a/jstests/core/doc_validation_invalid_validators.js +++ b/jstests/core/doc_validation_invalid_validators.js @@ -1,6 +1,8 @@ // Cannot implicitly shard accessed collections because of collection existing when none // expected. +// The test runs commands that are not allowed with security token: eval. // @tags: [ +// not_allowed_with_security_token, // assumes_no_implicit_collection_creation_after_drop, // requires_non_retryable_commands, // ] diff --git a/jstests/core/drop_collection.js b/jstests/core/drop_collection.js index 2d44ca0379f..3dd4bafbe1b 100644 --- a/jstests/core/drop_collection.js +++ b/jstests/core/drop_collection.js @@ -1,7 +1,8 @@ /** * Basic test for the drop collection command - * + * The test runs commands that are not allowed with security token: isbdgrid. * @tags: [ + * not_allowed_with_security_token, * # Cannot implicitly shard accessed collections because of collection * # existing when none expected. * assumes_no_implicit_collection_creation_after_drop, diff --git a/jstests/core/explain_find_and_modify.js b/jstests/core/explain_find_and_modify.js index 6a6d13221e1..5809c94ce55 100644 --- a/jstests/core/explain_find_and_modify.js +++ b/jstests/core/explain_find_and_modify.js @@ -1,6 +1,8 @@ // Cannot implicitly shard accessed collections because of collection existing when none // expected. +// The test runs commands that are not allowed with security token: isbdgrid. // @tags: [ +// not_allowed_with_security_token, // assumes_no_implicit_collection_creation_after_drop, // ] diff --git a/jstests/core/expr.js b/jstests/core/expr.js index 16d6e99780d..0e30b4584ca 100644 --- a/jstests/core/expr.js +++ b/jstests/core/expr.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: mapReduce. // @tags: [ +// not_allowed_with_security_token, // does_not_support_stepdowns, // requires_getmore, // requires_non_retryable_writes, diff --git a/jstests/core/failcommand_failpoint.js b/jstests/core/failcommand_failpoint.js index b13f758008d..4eee98dcb9a 100644 --- a/jstests/core/failcommand_failpoint.js +++ b/jstests/core/failcommand_failpoint.js @@ -1,6 +1,8 @@ /** * Tests the "failCommand" failpoint. + * The test runs commands that are not allowed with security token: whatsmyuri. * @tags: [ + * not_allowed_with_security_token, * assumes_read_concern_unchanged, * assumes_read_preference_unchanged, * no_selinux, diff --git a/jstests/core/fsync.js b/jstests/core/fsync.js index ee66fcb313f..4369f1a81ab 100644 --- a/jstests/core/fsync.js +++ b/jstests/core/fsync.js @@ -6,7 +6,9 @@ * - Confirm that writes can progress after fsyncUnlock * - Confirm that the command can be run repeatedly without breaking things * + * The test runs commands that are not allowed with security token: fsync, fsyncUnlock. * @tags: [ + * not_allowed_with_security_token, * requires_fastcount, * requires_fsync, * uses_parallel_shell, diff --git a/jstests/core/function_string_representations.js b/jstests/core/function_string_representations.js index 9d79bb9c8d4..283a785238d 100644 --- a/jstests/core/function_string_representations.js +++ b/jstests/core/function_string_representations.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: mapReduce. // @tags: [ +// not_allowed_with_security_token, // does_not_support_stepdowns, // uses_map_reduce_with_temp_collections, // ] diff --git a/jstests/core/geo_big_polygon3.js b/jstests/core/geo_big_polygon3.js index 3f47a6b91eb..c0b4a7e9012 100644 --- a/jstests/core/geo_big_polygon3.js +++ b/jstests/core/geo_big_polygon3.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: mapReduce. // @tags: [ +// not_allowed_with_security_token, // does_not_support_stepdowns, // requires_fastcount, // requires_multi_updates, diff --git a/jstests/core/geo_s2cursorlimitskip.js b/jstests/core/geo_s2cursorlimitskip.js index cafee153af5..7a2aa2f5782 100644 --- a/jstests/core/geo_s2cursorlimitskip.js +++ b/jstests/core/geo_s2cursorlimitskip.js @@ -1,6 +1,8 @@ // Test various cursor behaviors // +// The test runs commands that are not allowed with security token: profile, setProfilingLevel. // @tags: [ +// not_allowed_with_security_token, // # This test attempts to enable profiling on a server and then get profiling data by reading // # nodes the "system.profile" collection. The former operation must be routed to the primary in // # a replica set, whereas the latter may be routed to a secondary. diff --git a/jstests/core/geo_update_btree2.js b/jstests/core/geo_update_btree2.js index 962d8b524f4..9f1f59fc162 100644 --- a/jstests/core/geo_update_btree2.js +++ b/jstests/core/geo_update_btree2.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: setParameter. // @tags: [ +// not_allowed_with_security_token, // assumes_superuser_permissions, // does_not_support_stepdowns, // requires_getmore, diff --git a/jstests/core/getlog1.js b/jstests/core/getlog1.js index d55e68740dd..a5989e87c75 100644 --- a/jstests/core/getlog1.js +++ b/jstests/core/getlog1.js @@ -1,4 +1,6 @@ -// @tags: [does_not_support_stepdowns] +// The test runs commands that are not allowed with security token: getLog. +// @tags: [ +// not_allowed_with_security_token,does_not_support_stepdowns] // to run: // ./mongo jstests/ diff --git a/jstests/core/getlog2.js b/jstests/core/getlog2.js index e6c8556069b..765814aa062 100644 --- a/jstests/core/getlog2.js +++ b/jstests/core/getlog2.js @@ -1,6 +1,8 @@ // tests getlog as well as slow querying logging // +// The test runs commands that are not allowed with security token: getLog. // @tags: [ +// not_allowed_with_security_token, // # This test attempts to perform a find command and see that it ran using the getLog command. // # The former operation may be routed to a secondary in the replica set, whereas the latter must // # be routed to the primary. diff --git a/jstests/core/getmore_invalidated_cursors.js b/jstests/core/getmore_invalidated_cursors.js index a7f8a9936d5..4eca5fb297c 100644 --- a/jstests/core/getmore_invalidated_cursors.js +++ b/jstests/core/getmore_invalidated_cursors.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: killCursors. // @tags: [ +// not_allowed_with_security_token, // assumes_balancer_off, // requires_collstats, // requires_getmore, diff --git a/jstests/core/hash.js b/jstests/core/hash.js index ab522564cfb..3b0367080cc 100644 --- a/jstests/core/hash.js +++ b/jstests/core/hash.js @@ -4,7 +4,9 @@ * time or across architectures. This is a good place to put tests for any edge cases in the hash * function that might be prone to change because of code changes or because of differences between * architectures. + * The test runs commands that are not allowed with security token: _hashBSONElement. * @tags: [ + * not_allowed_with_security_token, * no_selinux, * ] */ diff --git a/jstests/core/hostinfo.js b/jstests/core/hostinfo.js index 04f341a659d..0c5ed858f49 100644 --- a/jstests/core/hostinfo.js +++ b/jstests/core/hostinfo.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: hostInfo. // @tags: [ +// not_allowed_with_security_token, // # `hostInfo` command is not available on embedded // incompatible_with_embedded, // ] diff --git a/jstests/core/illegal_cmd_namespace.js b/jstests/core/illegal_cmd_namespace.js index 3dc26c4e67a..f3075337abe 100644 --- a/jstests/core/illegal_cmd_namespace.js +++ b/jstests/core/illegal_cmd_namespace.js @@ -2,7 +2,9 @@ * Test that an attempt to run a query over a $cmd namespace is not treated specially by the shell, * but is rejected by the server. * + * The test runs commands that are not allowed with security token: killop. * @tags: [ + * not_allowed_with_security_token, * assumes_unsharded_collection, * ] */ diff --git a/jstests/core/index8.js b/jstests/core/index8.js index f070e6604bd..3887906dddc 100644 --- a/jstests/core/index8.js +++ b/jstests/core/index8.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: reIndex. // @tags: [ +// not_allowed_with_security_token, // # Asserts on the output of listIndexes. // assumes_no_implicit_index_creation, // # Cannot implicitly shard accessed collections because of not being able to create unique diff --git a/jstests/core/index_filter_catalog_independent.js b/jstests/core/index_filter_catalog_independent.js index 48889c7e414..2c244fdb070 100644 --- a/jstests/core/index_filter_catalog_independent.js +++ b/jstests/core/index_filter_catalog_independent.js @@ -2,7 +2,10 @@ * Test that index filters are applied regardless of catalog changes. Intended to reproduce * SERVER-33303. * + * The test runs commands that are not allowed with security token: planCacheListFilters, + * planCacheSetFilter. * @tags: [ + * not_allowed_with_security_token, * # This test performs queries with index filters set up. Since index filters are local to a * # mongod, and do not replicate, this test must issue all of its commands against the same node. * assumes_read_preference_unchanged, diff --git a/jstests/core/index_filter_collation.js b/jstests/core/index_filter_collation.js index 917b6679563..b1b3edaa3d0 100644 --- a/jstests/core/index_filter_collation.js +++ b/jstests/core/index_filter_collation.js @@ -1,6 +1,9 @@ /** * Test that index filters are applied with the correct collation. + * The test runs commands that are not allowed with security token: planCacheListFilters, + * planCacheSetFilter. * @tags: [ + * not_allowed_with_security_token, * # Needs to create a collection with a collation. * assumes_no_implicit_collection_creation_after_drop, * # This test attempts to perform queries with plan cache filters set up. The former operation diff --git a/jstests/core/index_filter_commands.js b/jstests/core/index_filter_commands.js index 68cf83166a5..1272cb2fd19 100644 --- a/jstests/core/index_filter_commands.js +++ b/jstests/core/index_filter_commands.js @@ -19,7 +19,10 @@ * using the $planCacheStats aggregation metadata source on the same query shape with the index * filters. * + * The test runs commands that are not allowed with security token: planCacheClearFilters, + * planCacheListFilters, planCacheSetFilter. * @tags: [ + * not_allowed_with_security_token, * # Cannot implicitly shard accessed collections because of collection existing when none * # expected. * assumes_no_implicit_collection_creation_after_drop, diff --git a/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js b/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js index 9fd0cae1889..059241284ac 100644 --- a/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js +++ b/jstests/core/index_filter_commands_invalidate_plan_cache_entries.js @@ -1,7 +1,10 @@ /** * Test that index filter commands (planCacheSetFilter, planCacheClearFilters) invalidate the * corresponding plan cache entries. + * The test runs commands that are not allowed with security token: planCacheClearFilters, + * planCacheSetFilter. * @tags: [ + * not_allowed_with_security_token, * # This test attempts to perform queries with plan cache filters set up. The index filter * # commands and the queries to which those index filters apply could be routed to different * # nodes. diff --git a/jstests/core/index_filter_on_hidden_index.js b/jstests/core/index_filter_on_hidden_index.js index 9dcb98a0986..770802b8b3e 100644 --- a/jstests/core/index_filter_on_hidden_index.js +++ b/jstests/core/index_filter_on_hidden_index.js @@ -9,7 +9,10 @@ * - It is legal to set an index filter on a hidden index, but the index will not actually be * used until it is made visible. * + * The test runs commands that are not allowed with security token: planCacheListFilters, + * planCacheSetFilter. * @tags: [ + * not_allowed_with_security_token, * # Command 'planCacheSetFilter' may return different values after a failover. * does_not_support_stepdowns, * # In some scenarios this test asserts that a collection scan is the chosen plan. diff --git a/jstests/core/index_stats.js b/jstests/core/index_stats.js index 3c8c98764a3..8561cbd2029 100644 --- a/jstests/core/index_stats.js +++ b/jstests/core/index_stats.js @@ -1,4 +1,6 @@ +// The test runs commands that are not allowed with security token: mapReduce. // @tags: [ +// not_allowed_with_security_token, // # This test attempts to perform write operations and get index usage statistics using the // # $indexStats stage. The former operation must be routed to the primary in a replica set, // # whereas the latter may be routed to a secondary. diff --git a/jstests/core/js_object_properties.js b/jstests/core/js_object_properties.js index 8c42fb5b208..fb4313cc0ea 100644 --- a/jstests/core/js_object_properties.js +++ b/jstests/core/js_object_properties.js @@ -1,6 +1,8 @@ // Tests that the properties available on the 'this' object during js execution are only those found // in the database's BSON object. +// The test runs commands that are not allowed with security token: mapReduce. // @tags: [ +// not_allowed_with_security_token, // # mapReduce does not support afterClusterTime. // does_not_support_causal_consistency, // ] -- cgit v1.2.1