mirror of https://github.com/mongodb/mongo
SERVER-112797 Set security cluster parameters periodically at runtime in config fuzzer (#45148)
GitOrigin-RevId: fd2d873e5a58d4c549006b8b8563caa1e0c427ca
This commit is contained in:
Gabriel Marks
MongoDB Bot
parent
06390f0c4d
commit
f80ba058ab
|
|
@ -288,6 +288,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
|
|||
/buildscripts/resmokelib/testing/hooks/**/rotate_execution_control_params.py @10gen/server-workload-resilience @svc-auto-approve-bot
|
||||
/buildscripts/resmokelib/testing/hooks/**/fuzz_runtime_parameters.py @10gen/server-programmability @svc-auto-approve-bot
|
||||
/buildscripts/resmokelib/testing/hooks/**/validate.py @10gen/devprod-correctness @10gen/server-validate @svc-auto-approve-bot
|
||||
/buildscripts/resmokelib/testing/hooks/**/simulate_crash.py @10gen/query-execution-router @svc-auto-approve-bot
|
||||
/buildscripts/resmokelib/testing/hooks/**/check_system_buckets_metrics.py @10gen/server-catalog-and-routing @svc-auto-approve-bot
|
||||
|
||||
# The following patterns are parsed from ./buildscripts/resmokelib/testing/testcases/OWNERS.yml
|
||||
|
|
|
|||
|
|
@ -673,12 +673,75 @@ config_fuzzer_params = {
|
|||
},
|
||||
"cluster": {
|
||||
"configServerReadPreferenceForCatalogQueries": {
|
||||
"choices": [{"mustAlwaysUseNearest": True}, {"mustAlwaysUseNearest": False}],
|
||||
"choices": [{"mustAlwaysUseNearest": True}, {"mustAlwaysUseNearest": False}, {}],
|
||||
"period": 10,
|
||||
"fuzz_at": ["cluster"],
|
||||
},
|
||||
"onlyTargetDataOwningShardsForMultiWrites": {
|
||||
"choices": [{"enabled": True}, {"enabled": False}],
|
||||
"choices": [{"enabled": True}, {"enabled": False}, {}],
|
||||
"period": 10,
|
||||
"fuzz_at": ["cluster"],
|
||||
},
|
||||
"fleCompactionOptions": {
|
||||
"document": {
|
||||
"maxCompactionSize": {
|
||||
"exclude_prob": 0.5,
|
||||
"min": 1,
|
||||
"max": 2147483647, # int max
|
||||
},
|
||||
"maxAnchorCompactionSize": {"exclude_prob": 0.5, "min": 1, "max": 2147483647},
|
||||
"maxESCEntriesPerCompactionDelete": {"exclude_prob": 0.5, "min": 1, "max": 350000},
|
||||
"compactAnchorPaddingFactor": {
|
||||
"exclude_prob": 0.5,
|
||||
"min": 0,
|
||||
"max": 1,
|
||||
"isUniform": True,
|
||||
},
|
||||
},
|
||||
"period": 10,
|
||||
"fuzz_at": ["cluster"],
|
||||
},
|
||||
"fleAllowTotalTagOverheadToExceedBSONLimit": {
|
||||
"choices": [{"shouldOverride": True}, {"shouldOverride": False}, {}],
|
||||
"period": 10,
|
||||
"fuzz_at": ["cluster"],
|
||||
},
|
||||
"fleDisableSubstringPreviewParameterLimits": {
|
||||
"choices": [{"shouldOverride": True}, {"shouldOverride": False}, {}],
|
||||
"period": 10,
|
||||
"fuzz_at": ["cluster"],
|
||||
},
|
||||
"auditConfig": {
|
||||
"document": {
|
||||
"auditAuthorizationSuccess": {"choices": [True, False]},
|
||||
"filter": {
|
||||
"document": {
|
||||
# Only a very small subset of possible filter expressions, since any match
|
||||
# expression can be used.
|
||||
"atype": {
|
||||
"exclude_prob": 0.3,
|
||||
"choices": [
|
||||
"authenticate",
|
||||
"authCheck",
|
||||
"createCollection",
|
||||
"dropCollection",
|
||||
{"$in": ["authenticate", "createCollection"]},
|
||||
],
|
||||
},
|
||||
"users.user": {"exclude_prob": 0.7, "choices": ["admin", "user", "abc"]},
|
||||
"users.db": {"exclude_prob": 0.7, "choices": ["admin", "test", "db"]},
|
||||
"roles.role": {"exclude_prob": 0.7, "choices": ["role1", "role2"]},
|
||||
"roles.db": {"exclude_prob": 0.7, "choices": ["admin", "test", "db"]},
|
||||
"result": {
|
||||
"exclude_prob": 0.5,
|
||||
"isRandomizedChoice": True,
|
||||
"lower_bound": 0,
|
||||
"upper_bound": 500,
|
||||
"choices": [0, 13, 18, 26, 334],
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"period": 10,
|
||||
"fuzz_at": ["cluster"],
|
||||
},
|
||||
|
|
@ -689,6 +752,13 @@ config_fuzzer_extra_configs = {
|
|||
"mongod": {
|
||||
"directoryperdb": {"choices": [True, False]},
|
||||
"wiredTigerDirectoryForIndexes": {"choices": [True, False]},
|
||||
"auditDestination": {"default": "console"},
|
||||
"auditRuntimeConfiguration": {"choices": ["on", "off"]},
|
||||
"auditSchema": {"choices": ["mongo", "OCSF"]},
|
||||
},
|
||||
"mongos": {
|
||||
"auditDestination": {"default": "console"},
|
||||
"auditRuntimeConfiguration": {"choices": ["on", "off"]},
|
||||
"auditSchema": {"choices": ["mongo", "OCSF"]},
|
||||
},
|
||||
"mongos": {},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -225,7 +225,14 @@ def generate_encryption_config(rng: random.Random):
|
|||
def generate_normal_mongo_parameters(rng, value):
|
||||
"""Returns the value assigned the mongod or mongos parameter based on the fields of the parameters in the config_fuzzer_limits.py."""
|
||||
|
||||
if "isUniform" in value:
|
||||
if "document" in value:
|
||||
ret = {}
|
||||
for doc_key, doc_value in value["document"].items():
|
||||
if "exclude_prob" in doc_value and rng.random() < doc_value["exclude_prob"]:
|
||||
# Exclude this key from the document
|
||||
continue
|
||||
ret[doc_key] = generate_normal_mongo_parameters(rng, doc_value)
|
||||
elif "isUniform" in value:
|
||||
ret = rng.uniform(value["min"], value["max"])
|
||||
elif "isRandomizedChoice" in value:
|
||||
choices = value["choices"]
|
||||
|
|
|
|||
|
|
@ -590,8 +590,10 @@ class TestRunner(Subcommand):
|
|||
|
||||
if config.MONGOD_EXTRA_CONFIG:
|
||||
for k, v in config.MONGOD_EXTRA_CONFIG.items():
|
||||
if v:
|
||||
if v is True:
|
||||
local_resmoke_invocation_with_params += f" --{k}"
|
||||
elif v: # truthy but not True
|
||||
local_resmoke_invocation_with_params += f" --{k}={v}"
|
||||
|
||||
if config.MONGOS_SET_PARAMETERS and config.MONGOS_SET_PARAMETERS != "{}":
|
||||
local_resmoke_invocation_with_params += f" --mongosSetParameters='{self._get_fuzzed_param_resmoke_invocation(config.MONGOS_SET_PARAMETERS)}'"
|
||||
|
|
|
|||
|
|
@ -527,7 +527,7 @@ class MongodLauncher(object):
|
|||
"wiredTigerEngineConfigString": self.config.WT_ENGINE_CONFIG,
|
||||
"wiredTigerIndexConfigString": self.config.WT_INDEX_CONFIG,
|
||||
}
|
||||
shortcut_opts.update(self.config.MONGOD_EXTRA_CONFIG)
|
||||
shortcut_opts.update({k: v for k, v in self.config.MONGOD_EXTRA_CONFIG.items() if v})
|
||||
|
||||
if self.config.STORAGE_ENGINE == "inMemory":
|
||||
shortcut_opts["inMemorySizeGB"] = self.config.STORAGE_ENGINE_CACHE_SIZE
|
||||
|
|
|
|||
|
|
@ -70,6 +70,9 @@ filters:
|
|||
approvers:
|
||||
- 10gen/server-validate
|
||||
- 10gen/devprod-correctness
|
||||
- "simulate_crash.py":
|
||||
approvers:
|
||||
- 10gen/query-execution-router
|
||||
- "check_system_buckets_metrics.py":
|
||||
approvers:
|
||||
- 10gen/server-catalog-and-routing
|
||||
|
|
|
|||
|
|
@ -131,6 +131,11 @@ class FuzzRuntimeParameters(interface.Hook):
|
|||
k: v for k, v in runtime_mongod_params.items() if "flowControl" not in k
|
||||
}
|
||||
|
||||
auditingEnabled = config.MONGOD_EXTRA_CONFIG.get("auditRuntimeConfiguration", "off") == "on"
|
||||
if not auditingEnabled:
|
||||
# auditConfig requires auditing to be enabled, so we should not fuzz it if auditing is disabled.
|
||||
del cluster_params["auditConfig"]
|
||||
|
||||
validate_runtime_parameter_spec(runtime_mongod_params)
|
||||
validate_runtime_parameter_spec(runtime_mongos_params)
|
||||
validate_runtime_parameter_spec(cluster_params)
|
||||
|
|
|
|||
|
|
@ -149,7 +149,9 @@ class SimulateCrash(bghook.BGHook):
|
|||
# When restarting the node for validation purposes, we need to mirror some
|
||||
# configuration options applied to the original standalone invocation.
|
||||
extra_configs = [
|
||||
"--" + cfg_k for (cfg_k, cfg_v) in config.MONGOD_EXTRA_CONFIG.items() if cfg_v
|
||||
f"--{cfg_k}" + ("" if cfg_v is True else f"={cfg_v}")
|
||||
for cfg_k, cfg_v in config.MONGOD_EXTRA_CONFIG.items()
|
||||
if cfg_v
|
||||
]
|
||||
|
||||
mdb = process.Process(
|
||||
|
|
|
|||
Loading…
Reference in New Issue