1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
/**
* This tests that CLAC (collection level access control) handles system collections properly.
* @tags: [requires_sharding]
*/
// Verify that system collections are treated correctly
function runTest(admindb) {
var authzErrorCode = 13;
admindb.createUser({user: "admin", pwd: "pwd", roles: ["userAdminAnyDatabase"]});
assert.eq(1, admindb.auth("admin", "pwd"));
var sysCollections = ["system.js", "system.profile", "system.roles", "system.users"];
var sysPrivs = new Array();
for (var i in sysCollections) {
sysPrivs.push(
{resource: {db: admindb.getName(), collection: sysCollections[i]}, actions: ['find']});
}
var findPriv = {resource: {db: admindb.getName(), collection: ""}, actions: ['find']};
admindb.createRole({role: "FindInDB", roles: [], privileges: [findPriv]});
admindb.createRole({role: "FindOnSysRes", roles: [], privileges: sysPrivs});
admindb.createUser({user: "sysUser", pwd: "pwd", roles: ["FindOnSysRes"]});
admindb.createUser({user: "user", pwd: "pwd", roles: ["FindInDB"]});
// Verify the find on all collections exludes system collections
assert.eq(1, admindb.auth("user", "pwd"));
assert.doesNotThrow(function() {
admindb.foo.findOne();
});
for (var i in sysCollections) {
assert.commandFailed(admindb.runCommand({count: sysCollections[i]}));
}
// Verify that find on system collections gives find permissions
assert.eq(1, admindb.auth("sysUser", "pwd"));
assert.throws(function() {
admindb.foo.findOne();
});
for (var i in sysCollections) {
assert.commandWorked(admindb.runCommand({count: sysCollections[i]}));
}
admindb.logout();
}
jsTest.log('Test standalone');
var conn = MongoRunner.runMongod({auth: ''});
runTest(conn.getDB("admin"));
MongoRunner.stopMongod(conn);
jsTest.log('Test sharding');
var st = new ShardingTest({shards: 2, config: 3, keyFile: 'jstests/libs/key1'});
runTest(st.s.getDB("admin"));
st.stop();
|
