summaryrefslogtreecommitdiff
path: root/jstests/auth/clac_system_colls.js
blob: 26a315db2524c29752301f413ff91fce2d32c0f0 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

/**
 * This tests that CLAC (collection level access control) handles system collections properly.
 */

// Verify that system collections are treated correctly
function runTest(admindb) {
    var authzErrorCode = 13;

    admindb.createUser({user: "admin", pwd: "pwd", roles: ["userAdminAnyDatabase"]});
    assert.eq(1, admindb.auth("admin", "pwd"));

    var sysCollections = [
        "system.indexes",
        "system.js",
        "system.namespaces",
        "system.profile",
        "system.roles",
        "system.users"
    ];
    var sysPrivs = new Array();
    for (var i in sysCollections) {
        sysPrivs.push(
            {resource: {db: admindb.getName(), collection: sysCollections[i]}, actions: ['find']});
    }

    var findPriv = {resource: {db: admindb.getName(), collection: ""}, actions: ['find']};

    admindb.createRole({role: "FindInDB", roles: [], privileges: [findPriv]});
    admindb.createRole({role: "FindOnSysRes", roles: [], privileges: sysPrivs});

    admindb.createUser({user: "sysUser", pwd: "pwd", roles: ["FindOnSysRes"]});
    admindb.createUser({user: "user", pwd: "pwd", roles: ["FindInDB"]});

    // Verify the find on all collections exludes system collections
    assert.eq(1, admindb.auth("user", "pwd"));

    assert.doesNotThrow(function() {
        admindb.foo.findOne();
    });
    for (var i in sysCollections) {
        assert.commandFailed(admindb.runCommand({count: sysCollections[i]}));
    }

    // Verify that find on system collections gives find permissions
    assert.eq(1, admindb.auth("sysUser", "pwd"));

    assert.throws(function() {
        admindb.foo.findOne();
    });
    for (var i in sysCollections) {
        assert.commandWorked(admindb.runCommand({count: sysCollections[i]}));
    }

    admindb.logout();
}

jsTest.log('Test standalone');
var conn = MongoRunner.runMongod({auth: ''});
runTest(conn.getDB("admin"));
MongoRunner.stopMongod(conn.port);

jsTest.log('Test sharding');
var st = new ShardingTest({shards: 2, config: 3, keyFile: 'jstests/libs/key1'});
runTest(st.s.getDB("admin"));
st.stop();
View Lorry Controller Status