1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
// MapReduce executed by a read-only user when --auth enabled should only be able to use inline
// mode. Other modes require writing to an output collection which is not allowed. SERVER-3345
//
// This test requires users to persist across a restart.
// @tags: [requires_persistence]
baseName = "jstests_mr_auth";
dbName = "test";
out = baseName + "_out";
map = function() {
emit(this.x, this.y);
};
red = function(k, vs) {
var s = 0;
for (var i = 0; i < vs.length; i++)
s += vs[i];
return s;
};
red2 = function(k, vs) {
return 42;
};
// make sure writing is allowed when started without --auth enabled
dbms = MongoRunner.runMongod({bind_ip: "127.0.0.1"});
var d = dbms.getDB(dbName);
var t = d[baseName];
for (var i = 0; i < 1000; i++)
t.insert({_id: i, x: i % 10, y: i % 100});
assert.eq(1000, t.count(), "inserts failed");
d.dropAllUsers();
d.getSisterDB("admin").createUser({user: "admin", pwd: "admin", roles: jsTest.adminUserRoles});
d.getSisterDB("admin").auth('admin', 'admin');
d.createUser({user: "write", pwd: "write", roles: jsTest.basicUserRoles});
d.createUser({user: "read", pwd: "read", roles: jsTest.readOnlyUserRoles});
d.getSisterDB("admin").logout();
t.mapReduce(map, red, {out: {inline: 1}});
t.mapReduce(map, red, {out: {replace: out}});
t.mapReduce(map, red, {out: {reduce: out}});
t.mapReduce(map, red, {out: {merge: out}});
d[out].drop();
MongoRunner.stopMongod(dbms);
// In --auth mode, read-only user should not be able to write to existing or temporary collection,
// thus only can execute inline mode
dbms = MongoRunner.runMongod(
{restart: true, cleanData: false, dbpath: dbms.dbpath, auth: "", bind_ip: "127.0.0.1"});
d = dbms.getDB(dbName);
t = d[baseName];
assert.throws(function() {
t.findOne();
}, [], "read without login");
assert.throws(function() {
t.mapReduce(map, red, {out: {inline: 1}});
}, [], "m/r without login");
d.auth("read", "read");
t.findOne();
t.mapReduce(map, red, {out: {inline: 1}});
assert.throws(function() {
t.mapReduce(map, red2, {out: {replace: out}});
}, [], "read-only user shouldn't be able to output m/r to a collection");
assert.throws(function() {
t.mapReduce(map, red2, {out: {reduce: out}});
}, [], "read-only user shouldn't be able to output m/r to a collection");
assert.throws(function() {
t.mapReduce(map, red2, {out: {merge: out}});
}, [], "read-only user shouldn't be able to output m/r to a collection");
assert.eq(0, d[out].count(), "output collection should be empty");
d.logout();
assert.throws(function() {
t.mapReduce(map, red, {out: {replace: out}});
}, [], "m/r without login");
d.auth("write", "write");
t.mapReduce(map, red, {out: {inline: 1}});
t.mapReduce(map, red, {out: {replace: out}});
t.mapReduce(map, red, {out: {reduce: out}});
t.mapReduce(map, red, {out: {merge: out}});
// make sure it fails if output to a diff db
assert.throws(function() {
t.mapReduce(map, red, {out: {replace: out, db: "admin"}});
});
MongoRunner.stopMongod(dbms);
print("\n\n\nmr_auth.js SUCCESS\n\n\n");
|
