1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
// dumprestore_auth2.js
// Tests that mongodump and mongorestore properly handle access control information
// Tests that the default auth roles of backup and restore work properly.
var dumpRestoreAuth2 = function(backup_role, restore_role) {
t = new ToolTest("dumprestore_auth2", {auth: ""});
coll = t.startDB("foo");
admindb = coll.getDB().getSiblingDB("admin");
// Create the relevant users and roles.
admindb.createUser({user: "root", pwd: "pass", roles: ["root"]});
admindb.auth("root", "pass");
admindb.createUser({user: "backup", pwd: "pass", roles: [backup_role]});
admindb.createUser({user: "restore", pwd: "pass", roles: [restore_role]});
admindb.createRole({
role: "customRole",
privileges: [
{resource: {db: "jstests_tool_dumprestore_auth2", collection: "foo"}, actions: ["find"]}
],
roles: []
});
admindb.createUser({user: "test", pwd: "pass", roles: ["customRole"]});
coll.insert({word: "tomato"});
assert.eq(1, coll.count());
assert.eq(4, admindb.system.users.count(), "setup users");
assert.eq(2,
admindb.system.users.getIndexes().length,
"setup2: " + tojson(admindb.system.users.getIndexes()));
assert.eq(1, admindb.system.roles.count(), "setup3");
assert.eq(2, admindb.system.roles.getIndexes().length, "setup4");
assert.eq(1, admindb.system.version.find({_id: "authSchema"}).count());
var versionDoc = admindb.system.version.findOne({_id: "authSchema"});
// Logout root user.
admindb.logout();
// Verify that the custom role works as expected.
admindb.auth("test", "pass");
assert.eq("tomato", coll.findOne().word);
admindb.logout();
// Dump the database.
t.runTool("dump", "--out", t.ext, "--username", "backup", "--password", "pass");
// Drop the relevant data in the database.
admindb.auth("root", "pass");
coll.getDB().dropDatabase();
admindb.dropUser("backup");
admindb.dropUser("test");
admindb.dropRole("customRole");
assert.eq(2, admindb.system.users.count(), "didn't drop backup and test users");
assert.eq(0, admindb.system.roles.count(), "didn't drop roles");
assert.eq(0, coll.count(), "didn't drop foo coll");
// This test depends on W=0 to mask unique index violations.
// This should be fixed once we implement TOOLS-341
t.runTool("restore",
"--dir",
t.ext,
"--username",
"restore",
"--password",
"pass",
"--writeConcern",
"0");
assert.soon("admindb.system.users.findOne()", "no data after restore");
assert.eq(4, admindb.system.users.count(), "didn't restore users");
assert.eq(2, admindb.system.users.getIndexes().length, "didn't restore user indexes");
assert.eq(1, admindb.system.roles.find({role: 'customRole'}).count(), "didn't restore roles");
assert.eq(2, admindb.system.roles.getIndexes().length, "didn't restore role indexes");
admindb.logout();
// Login as user with customRole to verify privileges are restored.
admindb.auth("test", "pass");
assert.eq("tomato", coll.findOne().word);
admindb.logout();
admindb.auth("root", "pass");
admindb.createUser({user: "root2", pwd: "pass", roles: ["root"]});
admindb.dropRole("customRole");
admindb.createRole({role: "customRole2", roles: [], privileges: []});
admindb.dropUser("root");
admindb.logout();
t.runTool("restore",
"--dir",
t.ext,
"--username",
"restore",
"--password",
"pass",
"--drop",
"--writeConcern",
"0");
admindb.auth("root", "pass");
assert.soon("1 == admindb.system.users.find({user:'root'}).count()", "didn't restore users 2");
assert.eq(0, admindb.system.users.find({user: 'root2'}).count(), "didn't drop users");
assert.eq(0, admindb.system.roles.find({role: 'customRole2'}).count(), "didn't drop roles");
assert.eq(1, admindb.system.roles.find({role: 'customRole'}).count(), "didn't restore roles");
assert.eq(2, admindb.system.users.getIndexes().length, "didn't maintain user indexes");
assert.eq(2, admindb.system.roles.getIndexes().length, "didn't maintain role indexes");
assert.eq(
1, admindb.system.version.find({_id: "authSchema"}).count(), "didn't restore version");
assert.docEq(versionDoc,
admindb.system.version.findOne({_id: "authSchema"}),
"version doc wasn't restored properly");
admindb.logout();
t.stop();
};
// Tests that the default auth roles of backup and restore work properly.
dumpRestoreAuth2("backup", "restore");
// Tests that root has backup and restore privileges too.
dumpRestoreAuth2("root", "root");
|