jstests/sharding/all_collection_stats_auth.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

/*
 * Test to validate the privileges of using $_internalAllCollectionStats stage.
 *
 * @tags: [
 *   requires_fcv_62,
 * ]
 */

(function() {
'use strict';

// Test privileges
function testPrivileges() {
    // Create new role with the exact privileges to execute $allCollectionStats
    assert.commandWorked(adminDb.runCommand({
        createRole: "role_ok_priv",
        roles: [],
        privileges: [{resource: {cluster: true}, actions: ["allCollectionStats"]}]
    }));

    // Creates users with privileges and no privileges
    assert.commandWorked(adminDb.runCommand({createUser: "user_no_priv", pwd: "pwd", roles: []}));

    assert.commandWorked(adminDb.runCommand(
        {createUser: "user_priv1", pwd: "pwd", roles: [{role: "role_ok_priv", db: 'admin'}]}));

    assert.commandWorked(adminDb.runCommand(
        {createUser: "user_priv2", pwd: "pwd", roles: [{role: "clusterMonitor", db: 'admin'}]}));

    assert(adminDb.logout());

    // User is in a role with privileges to execute the stage
    assert(adminDb.auth("user_priv1", "pwd"));
    assert.commandWorked(adminDb.runCommand({
        aggregate: 1,
        pipeline: [{$_internalAllCollectionStats: {stats: {storageStats: {}}}}],
        cursor: {}
    }));
    assert(adminDb.logout());

    // User is in a role with privileges to execute the stage
    assert(adminDb.auth("user_priv2", "pwd"));
    assert.commandWorked(adminDb.runCommand({
        aggregate: 1,
        pipeline: [{$_internalAllCollectionStats: {stats: {storageStats: {}}}}],
        cursor: {}
    }));
    assert(adminDb.logout());

    // User has no privileges to execute the stage
    assert(adminDb.auth("user_no_priv", "pwd"));
    assert.commandFailedWithCode(
        adminDb.runCommand({
            aggregate: 1,
            pipeline: [{$_internalAllCollectionStats: {stats: {storageStats: {}}}}],
            cursor: {}
        }),
        ErrorCodes.Unauthorized,
        "user should no longer have privileges to execute $_internalAllCollectionStats stage.");
    assert(adminDb.logout());
}

// Configure initial sharding cluster
const st = new ShardingTest({shards: 1, keyFile: 'jstests/libs/key1'});
const mongos = st.s;

const ns1 = "test.foo";
const adminDb = mongos.getDB("admin");
const testDb = mongos.getDB("test");

// Create a super user with __system role.
assert.commandWorked(adminDb.runCommand({createUser: "super", pwd: "super", roles: ["__system"]}));
assert(adminDb.logout());
assert(adminDb.auth("super", "super"));

st.adminCommand({shardcollection: ns1, key: {skey: 1}});

// Insert data to validate the aggregation stage
for (let i = 0; i < 6; i++) {
    assert.commandWorked(testDb.getCollection("foo").insert({skey: i}));
}

testPrivileges();

st.stop();
})();