1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
// Standalone test of authSchemaUpgrade
load('./jstests/multiVersion/libs/auth_helpers.js');
var setupCRUsers = function(conn) {
jsTest.log("setting up legacy users");
var adminDB = conn.getDB('admin');
adminDB.system.version.update({_id: "authSchema"}, {"currentVersion": 3}, {upsert: true});
adminDB.createUser({user: 'user1', pwd: 'pass', roles: jsTest.adminUserRoles});
assert(adminDB.auth({mechanism: 'MONGODB-CR', user: 'user1', pwd: 'pass'}));
adminDB.createUser({user: 'user2', pwd: 'pass', roles: jsTest.adminUserRoles});
assert(adminDB.auth({mechanism: 'MONGODB-CR', user: 'user2', pwd: 'pass'}));
// Add $external no-op user to verify that it does not affect
// authSchemaUpgrade SERVER-18475
adminDB.getSiblingDB('$external').createUser({user: "evil", roles: []});
jsTest.log("Verifying user documents before upgrading");
// We haven't run authSchemaUpgrade so there shouldn't be
// any stored SCRAM-SHA-1 credentials.
verifyUserDoc(adminDB, 'user1', true, false);
verifyUserDoc(adminDB, 'user2', true, false);
verifyUserDoc(adminDB.getSiblingDB('$external'), "evil", false, false, true);
adminDB.updateUser('user1', {pwd: 'newpass', roles: jsTest.adminUserRoles});
verifyAuth(adminDB, 'user1', 'newpass', true, true);
verifyUserDoc(adminDB, 'user1', true, false);
};
var verifySchemaUpgrade = function(adminDB) {
// All users should only have SCRAM credentials.
verifyUserDoc(adminDB, 'user1', false, true);
verifyUserDoc(adminDB, 'user2', false, true);
verifyUserDoc(adminDB.getSiblingDB('$external'), "evil", false, false, true);
// After authSchemaUpgrade MONGODB-CR no longer works.
verifyAuth(adminDB, 'user1', 'newpass', false, true);
verifyAuth(adminDB, 'user2', 'pass', false, true);
};
var runAndVerifySchemaUpgrade = function(conn) {
jsTest.log("run authSchemaUpgrade");
var adminDB = conn.getDB('admin');
assert.commandWorked(adminDB.runCommand('authSchemaUpgrade'));
verifySchemaUpgrade(adminDB);
};
var testAuthSchemaUpgrade = function(conn) {
setupCRUsers(conn);
runAndVerifySchemaUpgrade(conn);
};
// Test authSchemaUpgrade and upgrade shards
var testUpgradeShards = function(mongos, shard) {
setupCRUsers(shard);
assert.commandWorked(mongos.adminCommand({"authSchemaUpgrade": 1, "upgradeShards": 1}));
verifySchemaUpgrade(shard.getDB('admin'));
};
jsTest.log('Test authSchemUpgrade standalone');
var conn = MongoRunner.runMongod();
testAuthSchemaUpgrade(conn);
MongoRunner.stopMongod(conn);
jsTest.log('Test authSchemUpgrade sharded');
var dopts = {smallfiles: "", nopreallocj: ""};
var st = new ShardingTest({
shards: 1,
mongos: 1,
config: 1,
useHostname: false, // Needed when relying on the localhost exception
other: {shardOptions: dopts, configOptions: dopts, mongosOptions: {verbose: 1}}
});
testAuthSchemaUpgrade(st.s);
testUpgradeShards(st.s, st.shard0);
st.stop();
|