1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
/**
* Tests that direct shard connections are correctly allowed and disallowed using authentication.
*
* @tags: [featureFlagCheckForDirectShardOperations, featureFlagClusterCardinalityParameter,
* requires_fcv_71]
*/
(function() {
'use strict';
// Create a new sharded cluster for testing and enable auth.
const st = new ShardingTest({name: jsTestName(), keyFile: "jstests/libs/key1", shards: 1});
const shardConn = st.rs0.getPrimary();
const shardAdminDB = shardConn.getDB("admin");
const shardAdminTestDB = shardConn.getDB("test");
const userConn = new Mongo(st.shard0.host);
const userTestDB = userConn.getDB("test");
function getUnauthorizedDirectWritesCount() {
return assert.commandWorked(shardAdminDB.runCommand({serverStatus: 1}))
.shardingStatistics.unauthorizedDirectShardOps;
}
// With only one shard, direct shard operations should be allowed.
jsTest.log("Running tests with only one shard.");
{
// Direct writes to collections with root priviledge should be authorized.
shardAdminDB.createUser({user: "admin", pwd: 'x', roles: ["root"]});
assert(shardAdminDB.auth("admin", 'x'), "Authentication failed");
assert.commandWorked(shardAdminTestDB.getCollection("coll").insert({value: 1}));
assert.eq(getUnauthorizedDirectWritesCount(), 0);
// Direct writes to collections with read/write priviledge should be authorized.
shardAdminTestDB.createUser({user: "user", pwd: "y", roles: ["readWrite"]});
assert(userTestDB.auth("user", "y"), "Authentication failed");
assert.commandWorked(userTestDB.getCollection("coll").insert({value: 2}));
assert.eq(getUnauthorizedDirectWritesCount(), 0);
// Logging out and dropping users should be authorized.
userTestDB.logout();
shardAdminTestDB.dropUser("user");
assert.eq(getUnauthorizedDirectWritesCount(), 0);
}
// Adding the second shard will trigger the check for direct shard ops.
var newShard = new ReplSetTest({name: "additionalShard", nodes: 1});
newShard.startSet({keyFile: "jstests/libs/key1", shardsvr: ""});
newShard.initiate();
let mongosAdminUser = st.s.getDB('admin');
if (!TestData.configShard) {
mongosAdminUser.createUser({user: "globalAdmin", pwd: 'a', roles: ["root"]});
assert(mongosAdminUser.auth("globalAdmin", "a"), "Authentication failed");
} else {
assert(mongosAdminUser.auth("admin", "x"), "Authentication failed");
}
assert.commandWorked(mongosAdminUser.runCommand({addShard: newShard.getURL()}));
jsTest.log("Running tests with two shards.");
{
// Direct writes to collections with root priviledge (which includes directShardOperations)
// should be authorized.
assert.commandWorked(shardAdminTestDB.getCollection("coll").insert({value: 3}));
assert.eq(getUnauthorizedDirectWritesCount(), 0);
// Direct writes to collections with read/write priviledge should not be authorized.
shardAdminTestDB.createUser({user: "user", pwd: "y", roles: ["readWrite"]});
assert(userTestDB.auth("user", "y"), "Authentication failed");
assert.commandWorked(userTestDB.getCollection("coll").insert({value: 4}));
assert.eq(getUnauthorizedDirectWritesCount(), 1);
userTestDB.logout();
assert.eq(getUnauthorizedDirectWritesCount(), 1);
// Direct writes with just read/write and direct operations should be authorized.
shardAdminDB.createUser(
{user: "user2", pwd: "z", roles: ["readWriteAnyDatabase", "directShardOperations"]});
let shardUserWithDirectWritesAdminDB = userConn.getDB("admin");
let shardUserWithDirectWritesTestDB = userConn.getDB("test");
assert(shardUserWithDirectWritesAdminDB.auth("user2", "z"), "Authentication failed");
assert.commandWorked(shardUserWithDirectWritesTestDB.getCollection("coll").insert({value: 5}));
assert.eq(getUnauthorizedDirectWritesCount(), 1);
// Logout should always be authorized and drop user from admin should be authorized.
shardUserWithDirectWritesAdminDB.logout();
shardAdminTestDB.dropUser("user");
shardAdminTestDB.dropUser("user2");
mongosAdminUser.logout();
assert.eq(getUnauthorizedDirectWritesCount(), 1);
// shardAdminDB is used to check the direct writes count, so log it out last.
shardAdminDB.logout();
}
// Stop the sharding test before the additional shard to ensure the test hooks run successfully.
st.stop();
newShard.stopSet();
})();
|