summaryrefslogtreecommitdiff
path: root/jstests/sharding/direct_shard_connection_auth.js
blob: 798ad0e83b51df1813ca445e07fba0f794a23756 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

/**
 * Tests that direct shard connections are correctly allowed and disallowed using authentication.
 *
 * @tags: [featureFlagCheckForDirectShardOperations, featureFlagClusterCardinalityParameter,
 * requires_fcv_71]
 */
(function() {
'use strict';

// Create a new sharded cluster for testing and enable auth.
const st = new ShardingTest({name: jsTestName(), keyFile: "jstests/libs/key1", shards: 1});

const shardConn = st.rs0.getPrimary();
const shardAdminDB = shardConn.getDB("admin");
const shardAdminTestDB = shardConn.getDB("test");
const userConn = new Mongo(st.shard0.host);
const userTestDB = userConn.getDB("test");

function getUnauthorizedDirectWritesCount() {
    return assert.commandWorked(shardAdminDB.runCommand({serverStatus: 1}))
        .shardingStatistics.unauthorizedDirectShardOps;
}

// With only one shard, direct shard operations should be allowed.
jsTest.log("Running tests with only one shard.");
{
    // Direct writes to collections with root priviledge should be authorized.
    shardAdminDB.createUser({user: "admin", pwd: 'x', roles: ["root"]});
    assert(shardAdminDB.auth("admin", 'x'), "Authentication failed");
    assert.commandWorked(shardAdminTestDB.getCollection("coll").insert({value: 1}));
    assert.eq(getUnauthorizedDirectWritesCount(), 0);

    // Direct writes to collections with read/write priviledge should be authorized.
    shardAdminTestDB.createUser({user: "user", pwd: "y", roles: ["readWrite"]});
    assert(userTestDB.auth("user", "y"), "Authentication failed");
    assert.commandWorked(userTestDB.getCollection("coll").insert({value: 2}));
    assert.eq(getUnauthorizedDirectWritesCount(), 0);

    // Logging out and dropping users should be authorized.
    userTestDB.logout();
    shardAdminTestDB.dropUser("user");
    assert.eq(getUnauthorizedDirectWritesCount(), 0);
}

// Adding the second shard will trigger the check for direct shard ops.
var newShard = new ReplSetTest({name: "additionalShard", nodes: 1});
newShard.startSet({keyFile: "jstests/libs/key1", shardsvr: ""});
newShard.initiate();
let mongosAdminUser = st.s.getDB('admin');
if (!TestData.configShard) {
    mongosAdminUser.createUser({user: "globalAdmin", pwd: 'a', roles: ["root"]});
    assert(mongosAdminUser.auth("globalAdmin", "a"), "Authentication failed");
} else {
    assert(mongosAdminUser.auth("admin", "x"), "Authentication failed");
}
assert.commandWorked(mongosAdminUser.runCommand({addShard: newShard.getURL()}));

jsTest.log("Running tests with two shards.");
{
    // Direct writes to collections with root priviledge (which includes directShardOperations)
    // should be authorized.
    assert.commandWorked(shardAdminTestDB.getCollection("coll").insert({value: 3}));
    assert.eq(getUnauthorizedDirectWritesCount(), 0);

    // Direct writes to collections with read/write priviledge should not be authorized.
    shardAdminTestDB.createUser({user: "user", pwd: "y", roles: ["readWrite"]});
    assert(userTestDB.auth("user", "y"), "Authentication failed");
    assert.commandWorked(userTestDB.getCollection("coll").insert({value: 4}));
    assert.eq(getUnauthorizedDirectWritesCount(), 1);
    userTestDB.logout();
    assert.eq(getUnauthorizedDirectWritesCount(), 1);

    // Direct writes with just read/write and direct operations should be authorized.
    shardAdminDB.createUser(
        {user: "user2", pwd: "z", roles: ["readWriteAnyDatabase", "directShardOperations"]});
    let shardUserWithDirectWritesAdminDB = userConn.getDB("admin");
    let shardUserWithDirectWritesTestDB = userConn.getDB("test");
    assert(shardUserWithDirectWritesAdminDB.auth("user2", "z"), "Authentication failed");
    assert.commandWorked(shardUserWithDirectWritesTestDB.getCollection("coll").insert({value: 5}));
    assert.eq(getUnauthorizedDirectWritesCount(), 1);

    // Logout should always be authorized and drop user from admin should be authorized.
    shardUserWithDirectWritesAdminDB.logout();
    shardAdminTestDB.dropUser("user");
    shardAdminTestDB.dropUser("user2");
    mongosAdminUser.logout();
    assert.eq(getUnauthorizedDirectWritesCount(), 1);
    // shardAdminDB is used to check the direct writes count, so log it out last.
    shardAdminDB.logout();
}

// Stop the sharding test before the additional shard to ensure the test hooks run successfully.
st.stop();
newShard.stopSet();
})();
View Lorry Controller Status