1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
// check replica set authentication
//
// This test requires users to persist across a restart.
// @tags: [requires_persistence]
load("jstests/replsets/rslib.js");
(function() {
"use strict";
// TODO SERVER-35447: Multiple users cannot be authenticated on one connection within a session.
TestData.disableImplicitSessions = true;
var name = "rs_auth1";
var port = allocatePorts(5);
var path = "jstests/libs/";
// These keyFiles have their permissions set to 600 later in the test.
var key1_600 = path + "key1";
var key2_600 = path + "key2";
// This keyFile has its permissions set to 644 later in the test.
var key1_644 = path + "key1_644";
print("try starting mongod with auth");
var m =
MongoRunner.runMongod({auth: "", port: port[4], dbpath: MongoRunner.dataDir + "/wrong-auth"});
assert.eq(m.getDB("local").auth("__system", ""), 0);
MongoRunner.stopMongod(m);
print("reset permissions");
run("chmod", "644", key1_644);
print("try starting mongod");
m = runMongoProgram(
"mongod", "--keyFile", key1_644, "--port", port[0], "--dbpath", MongoRunner.dataPath + name);
print("should fail with wrong permissions");
assert.eq(
m, _isWindows() ? 100 : 1, "mongod should exit w/ 1 (EXIT_FAILURE): permissions too open");
// Pre-populate the data directory for the first replica set node, to be started later, with
// a user's credentials.
print("add a user to server0: foo");
m = MongoRunner.runMongod({dbpath: MongoRunner.dataPath + name + "-0"});
m.getDB("admin").createUser({user: "foo", pwd: "bar", roles: jsTest.adminUserRoles});
m.getDB("test").createUser({user: "bar", pwd: "baz", roles: jsTest.basicUserRoles});
print("make sure user is written before shutting down");
MongoRunner.stopMongod(m);
print("start up rs");
var rs = new ReplSetTest({"name": name, "nodes": 3});
// The first node is started with the pre-populated data directory.
print("start 0 with keyFile");
m = rs.start(0, {"keyFile": key1_600, noCleanData: true});
print("start 1 with keyFile");
rs.start(1, {"keyFile": key1_600});
print("start 2 with keyFile");
rs.start(2, {"keyFile": key1_600});
var result = m.getDB("admin").auth("foo", "bar");
assert.eq(result, 1, "login failed");
print("Initializing replSet with config: " + tojson(rs.getReplSetConfig()));
result = m.getDB("admin").runCommand({replSetInitiate: rs.getReplSetConfig()});
assert.eq(result.ok, 1, "couldn't initiate: " + tojson(result));
m.getDB('admin').logout(); // In case this node doesn't become primary, make sure its not auth'd
var master = rs.getPrimary();
rs.awaitSecondaryNodes();
var mId = rs.getNodeId(master);
var slave = rs._slaves[0];
assert.eq(1, master.getDB("admin").auth("foo", "bar"));
assert.writeOK(master.getDB("test").foo.insert(
{x: 1}, {writeConcern: {w: 3, wtimeout: ReplSetTest.kDefaultTimeoutMS}}));
print("try some legal and illegal reads");
var r = master.getDB("test").foo.findOne();
assert.eq(r.x, 1);
slave.setSlaveOk();
function doQueryOn(p) {
var error = assert.throws(function() {
r = p.getDB("test").foo.findOne();
}, [], "find did not throw, returned: " + tojson(r)).toString();
printjson(error);
assert.gt(error.indexOf("command find requires authentication"), -1, "error was non-auth");
}
doQueryOn(slave);
master.adminCommand({logout: 1});
print("unauthorized:");
printjson(master.adminCommand({replSetGetStatus: 1}));
doQueryOn(master);
result = slave.getDB("test").auth("bar", "baz");
assert.eq(result, 1);
r = slave.getDB("test").foo.findOne();
assert.eq(r.x, 1);
print("add some data");
master.getDB("test").auth("bar", "baz");
var bulk = master.getDB("test").foo.initializeUnorderedBulkOp();
for (var i = 0; i < 1000; i++) {
bulk.insert({x: i, foo: "bar"});
}
assert.writeOK(bulk.execute({w: 3, wtimeout: ReplSetTest.kDefaultTimeoutMS}));
print("fail over");
rs.stop(mId);
master = rs.getPrimary();
print("add some more data 1");
master.getDB("test").auth("bar", "baz");
bulk = master.getDB("test").foo.initializeUnorderedBulkOp();
for (var i = 0; i < 1000; i++) {
bulk.insert({x: i, foo: "bar"});
}
assert.writeOK(bulk.execute({w: 2}));
print("resync");
rs.restart(mId, {"keyFile": key1_600});
master = rs.getPrimary();
print("add some more data 2");
bulk = master.getDB("test").foo.initializeUnorderedBulkOp();
for (var i = 0; i < 1000; i++) {
bulk.insert({x: i, foo: "bar"});
}
bulk.execute({w: 3, wtimeout: ReplSetTest.kDefaultTimeoutMS});
print("add member with wrong key");
var conn = MongoRunner.runMongod({
dbpath: MongoRunner.dataPath + name + "-3",
port: port[3],
replSet: "rs_auth1",
oplogSize: 2,
keyFile: key2_600
});
master.getDB("admin").auth("foo", "bar");
var config = master.getDB("local").system.replset.findOne();
config.members.push({_id: 3, host: rs.host + ":" + port[3]});
config.version++;
try {
master.adminCommand({replSetReconfig: config});
} catch (e) {
print("error: " + e);
}
master = rs.getPrimary();
master.getDB("admin").auth("foo", "bar");
print("shouldn't ever sync");
for (var i = 0; i < 10; i++) {
print("iteration: " + i);
var results = master.adminCommand({replSetGetStatus: 1});
printjson(results);
assert(results.members[3].state != 2);
sleep(1000);
}
print("stop member");
MongoRunner.stopMongod(conn);
print("start back up with correct key");
var conn = MongoRunner.runMongod({
dbpath: MongoRunner.dataPath + name + "-3",
port: port[3],
replSet: "rs_auth1",
oplogSize: 2,
keyFile: key1_600
});
wait(function() {
try {
var results = master.adminCommand({replSetGetStatus: 1});
printjson(results);
return results.members[3].state == 2;
} catch (e) {
print(e);
}
return false;
});
print("make sure it has the config, too");
assert.soon(function() {
for (var i in rs.nodes) {
rs.nodes[i].setSlaveOk();
rs.nodes[i].getDB("admin").auth("foo", "bar");
config = rs.nodes[i].getDB("local").system.replset.findOne();
if (config.version != 2) {
return false;
}
}
return true;
});
MongoRunner.stopMongod(conn);
rs.stopSet();
})();
|