1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
/**
* Tests that when RBAC (Role-Based Access Control) is enabled on the cluster, then the user of the
* root role can issue 'find', 'insert', 'update', 'remove' commands on the
* 'config.system.change_collection' collection.
* @tags: [
* assumes_read_preference_unchanged,
* requires_replication,
* requires_fcv_62,
* ]
*/
(function() {
'use strict';
const password = "password";
const keyFile = "jstests/libs/key1";
// A dictionary of users against which authorization of change collection will be verified.
// The format of dictionary is:
// <key>: user-name,
// <value>:
// 'db': authentication db for the user
// 'roles': roles assigned to the user
// 'privileges': allowed operations of the user
const users = {
admin: {
db: "admin",
roles: [{role: "userAdminAnyDatabase", db: "admin"}],
privileges: {
insert: false,
find: false,
update: false,
remove: false,
},
},
clusterAdmin: {
db: "admin",
roles: [{"role": "clusterAdmin", "db": "admin"}],
privileges: {
insert: false,
find: false,
update: false,
remove: false,
},
},
test: {
db: "test",
roles: [{"role": "readWrite", "db": "test"}, {"role": "readWrite", "db": "config"}],
privileges: {
insert: false,
find: false,
update: false,
remove: false,
},
},
root: {
db: "admin",
roles: ["root"],
privileges: {
insert: true,
find: true,
update: true,
remove: true,
}
},
};
// Helper to authenticate and login the user on the provided connection.
function login(conn, userName) {
const user = users[userName];
const db = conn.getDB(user.db);
assert(db.auth(userName, password));
return db;
}
// Helper to create users from the 'users' dictionary on the provided connection.
function createUsers(conn) {
function createUser(userName) {
// A user-creation will happen by 'admin' user. If 'userName' is not 'admin', then login
// first as an 'admin'.
const adminDb = userName !== "admin" ? login(conn, "admin") : null;
// Get the details of user to create and issue create command.
const user = users[userName];
conn.getDB(user.db).createUser({user: userName, pwd: password, roles: user.roles});
// Logout if the current authenticated user is 'admin'.
if (adminDb !== null) {
adminDb.logout();
}
// Verify that the user has been created by logging-in and then logging out.
const db = login(conn, userName);
db.logout();
}
// Create the list of users on the specified connection.
for (const userName of Object.keys(users)) {
createUser(userName);
}
}
// Helper to verify if the logged-in user is authorized to invoke 'actionFunc'.
// The parameter 'isAuthorized' determines if the authorization should pass or fail.
function assertActionAuthorized(actionFunc, isAuthorized) {
try {
actionFunc();
// Verify if the authorization is expected to pass.
assert.eq(isAuthorized, true, "authorization passed unexpectedly");
} catch (ex) {
// Verify if the authorization is expected to fail.
assert.eq(isAuthorized, false, "authorization failed unexpectedly, details: " + ex);
// Verify that the authorization failed with the expected error code.
const unauthorized = 13;
assert.eq(ex.code,
unauthorized,
"expected operation should fail with code: " + unauthorized +
", found: " + ex.code + ", details: " + ex);
}
}
const changeCollectionName = "system.change_collection";
// Helper to verify if the logged-in user is authorized to issue 'find' command.
// The parameter 'authDb' is the authentication db for the user, and 'numDocs' determines the
// least number of documents to be retrieved.
function findChangeCollectionDoc(authDb, numDocs = 1) {
const db = authDb.getSiblingDB("config");
const result = db.getCollection(changeCollectionName).find({_id: 0}).toArray();
assert.eq(result.length, numDocs, result);
}
// Helper to verify if the logged-in user is authorized to issue 'insert' command.
// The parameter 'authDb' is the authentication db for the user.
function insertChangeCollectionDoc(authDb) {
const db = authDb.getSiblingDB("config");
assert.commandWorked(db.getCollection(changeCollectionName).insert({_id: 0}));
findChangeCollectionDoc(authDb, 1 /* numDocs */);
}
// Helper to verify if the logged-in user is authorized to issue 'update' command.
// The parameter 'authDb' is the authentication db for the user.
function updateChangeCollectionDoc(authDb) {
const db = authDb.getSiblingDB("config");
assert.commandWorked(db.getCollection(changeCollectionName).update({_id: 0}, {$set: {x: 0}}));
findChangeCollectionDoc(authDb, 1 /* numDocs */);
}
// Helper to verify if the logged-in user is authorized to issue 'remove' command.
// The parameter 'authDb' is the authentication db for the user.
function removeChangeCollectionDoc(authDb) {
const db = authDb.getSiblingDB("config");
assert.commandWorked(db.getCollection(changeCollectionName).remove({"_id": 0}));
findChangeCollectionDoc(authDb, 0 /* numDocs */);
}
// Start a replica-set test with one-node and authentication enabled. Connect to the primary node
// and create users.
const replSetTest = new ReplSetTest({
name: "shard",
nodes: 1,
useHostName: true,
waitForKeys: false,
serverless: true,
});
replSetTest.startSet({
keyFile: keyFile,
setParameter: {
featureFlagServerlessChangeStreams: true,
multitenancySupport: true,
featureFlagMongoStore: true,
internalChangeStreamUseTenantIdForTesting: true,
}
});
replSetTest.initiate();
const primary = replSetTest.getPrimary();
const adminDb = primary.getDB('admin');
createUsers(primary);
// Connect to the 'root' user.
let testPrimary = login(primary, "root");
// Enable change streams to ensure the creation of change collections.
assert.commandWorked(adminDb.runCommand({setChangeStreamState: 1, enabled: true}));
// Create a collection, insert a document and logout.
assert.commandWorked(testPrimary.createCollection("testColl"));
testPrimary.logout();
// Test the privileges for every user and operation in the 'privilegeMap.
for (const userName of Object.keys(users)) {
const user = login(primary, userName);
for (const [op, isAuthorized] of Object.entries(users[userName]['privileges'])) {
let opFunc;
switch (op) {
case 'insert':
opFunc = insertChangeCollectionDoc.bind(null, user);
break;
case 'find':
opFunc = findChangeCollectionDoc.bind(null, user);
break;
case 'update':
opFunc = updateChangeCollectionDoc.bind(null, user);
break;
case 'remove':
opFunc = removeChangeCollectionDoc.bind(null, user);
break;
default:
assert(false);
}
jsTestLog(`${userName} is performing ${op} on ${changeCollectionName}`);
assertActionAuthorized(opFunc, isAuthorized);
}
user.logout();
}
replSetTest.stopSet();
})();
|
