1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
// This test is a basic sanity check of the shell helpers for manipulating role objects
// It is not a comprehensive test of the functionality of the role manipulation commands
function assertHasRole(rolesArray, roleName, roleDB) {
for (i in rolesArray) {
var curRole = rolesArray[i];
if (curRole.role == roleName && curRole.db == roleDB) {
return;
}
}
assert(false, "role " + roleName + "@" + roleDB + " not found in array: " + tojson(rolesArray));
}
function assertHasPrivilege(privilegeArray, privilege) {
for (i in privilegeArray) {
var curPriv = privilegeArray[i];
if (curPriv.resource.cluster == privilege.resource.cluster &&
curPriv.resource.anyResource == privilege.resource.anyResource &&
curPriv.resource.db == privilege.resource.db &&
curPriv.resource.collection == privilege.resource.collection) {
// Same resource
assert.eq(curPriv.actions.length, privilege.actions.length);
for (k in curPriv.actions) {
assert.eq(curPriv.actions[k], privilege.actions[k]);
}
return;
}
}
assert(false, "Privilege " + tojson(privilege) + " not found in privilege array: " +
tojson(privilegeArray));
}
(function(db) {
var db = db.getSiblingDB("role_management_helpers");
db.dropDatabase();
db.dropAllRoles();
db.addRole({role:'roleA', roles: [], privileges: [{resource: {db:db.getName(), collection: ""},
actions: ['find']}]});
db.addRole({role:'roleB', privileges: [], roles: ["roleA"]});
db.addRole({role:'roleC', privileges: [], roles: []});
// Test getRole
var roleObj = db.getRole("roleA");
assert.eq(0, roleObj.roles.length);
assert.eq(1, roleObj.privileges.length);
assertHasPrivilege(roleObj.privileges,
{resource: {db:db.getName(), collection:""}, actions:['find']});
roleObj = db.getRole("roleB");
assert.eq(1, roleObj.privileges.length); // inherited from roleA
assertHasPrivilege(roleObj.privileges,
{resource: {db:db.getName(), collection:""}, actions:['find']});
assert.eq(1, roleObj.roles.length);
assertHasRole(roleObj.roles, "roleA", db.getName());
// Granting roles to nonexistent role fails
assert.throws(function() { db.grantRolesToRole("fakeRole", ['dbAdmin']); });
// Granting roles to built-in role fails
assert.throws(function() { db.grantRolesToRole("readWrite", ['dbAdmin']); });
// Granting non-existant role fails
assert.throws(function() { db.grantRolesToRole("roleB", ['dbAdmin', 'fakeRole']); });
roleObj = db.getRole("roleB");
assert.eq(1, roleObj.privileges.length);
assert.eq(1, roleObj.roles.length);
assertHasRole(roleObj.roles, "roleA", db.getName());
// Granting a role you already have is no problem
db.grantRolesToRole("roleB", ['readWrite', 'roleC']);
roleObj = db.getRole("roleB");
assert.gt(roleObj.privileges.length, 1); // Got privileges from readWrite role
assert.eq(3, roleObj.roles.length);
assertHasRole(roleObj.roles, "readWrite", db.getName());
assertHasRole(roleObj.roles, "roleA", db.getName());
assertHasRole(roleObj.roles, "roleC", db.getName());
// Revoking roles the role doesn't have is fine
db.revokeRolesFromRole("roleB", ['roleA', 'readWrite', 'dbAdmin']);
roleObj = db.getRole("roleB");
assert.eq(0, roleObj.privileges.length);
assert.eq(1, roleObj.roles.length);
assertHasRole(roleObj.roles, "roleC", db.getName());
// Privileges on the same resource get collapsed
db.grantPrivilegesToRole("roleA",
[{resource: {cluster:true}, actions:['listDatabases']},
{resource: {db:db.getName(), collection:""}, actions:['insert']}]);
roleObj = db.getRole("roleA");
assert.eq(0, roleObj.roles.length);
assert.eq(2, roleObj.privileges.length);
assertHasPrivilege(roleObj.privileges,
{resource: {db:db.getName(), collection:""}, actions:['find', 'insert']});
assertHasPrivilege(roleObj.privileges,
{resource: {cluster:true}, actions:['listDatabases']});
// Update role
db.updateRole("roleA", {roles:['roleB'],
privileges:[{resource: {db: db.getName(), collection:""},
actions:['find']}]});
roleObj = db.getRole("roleA");
assert.eq(1, roleObj.roles.length);
assertHasRole(roleObj.roles, "roleB", db.getName());
assert.eq(1, roleObj.privileges.length);
assertHasPrivilege(roleObj.privileges,
{resource: {db:db.getName(), collection:""}, actions:['find']});
// Test dropRole
db.dropRole('roleC');
assert.throws(function() {db.getRole('roleC')});
roleObj = db.getRole("roleB");
assert.eq(0, roleObj.privileges.length);
assert.eq(0, roleObj.roles.length);
// Test dropAllRoles
db.dropAllRoles();
assert.throws(function() {db.getRole('roleA')});
assert.throws(function() {db.getRole('roleB')});
assert.throws(function() {db.getRole('roleC')});
}(db));
|
