mirror of https://github.com/mongodb/mongo
75 lines
2.6 KiB
JavaScript
75 lines
2.6 KiB
JavaScript
// Tests that $$USER_ROLES is not available when the server parameter is set to false.
|
|
// @tags: [requires_fcv_70]
|
|
|
|
import "jstests/libs/query/sbe_assert_error_override.js";
|
|
|
|
const dbName = "test";
|
|
const collName = "coll";
|
|
const varNotAvailableErr = 51144;
|
|
|
|
function runTest(conn, disableAtRunTime) {
|
|
// Create a user on the admin database with the root role so that we can create users with other
|
|
// roles to other databases.
|
|
let admin = conn.getDB("admin");
|
|
assert.commandWorked(admin.runCommand({createUser: "admin", pwd: "admin", roles: ["root"]}));
|
|
admin.auth("admin", "admin");
|
|
|
|
if (disableAtRunTime) {
|
|
// Disable the $$USER_ROLES server parameter. This requires the admin user to be
|
|
// authenticated.
|
|
assert.commandWorked(admin.runCommand({setParameter: 1, enableAccessToUserRoles: false}));
|
|
}
|
|
|
|
const db = conn.getDB(dbName);
|
|
|
|
// Create a user.
|
|
assert.commandWorked(
|
|
db.runCommand({
|
|
createUser: "user",
|
|
pwd: "pwd",
|
|
roles: [{role: "read", db: dbName}],
|
|
}),
|
|
);
|
|
|
|
// Create a view.
|
|
let pipeline = [
|
|
{
|
|
$set: {"a": {$cond: {if: {$in: ["read", "$$USER_ROLES.role"]}, then: "$a", else: "$$REMOVE"}}},
|
|
},
|
|
];
|
|
assert.commandWorked(db.createView("coll_view", collName, pipeline));
|
|
let coll = db.getCollection(collName);
|
|
|
|
// Insert a document.
|
|
let doc = {_id: 0, a: 1};
|
|
assert.commandWorked(coll.insert(doc));
|
|
|
|
// Logout of the admin user so that we can log into the other user.
|
|
admin.logout();
|
|
|
|
// Authenticate as the user we created earlier and run a find on the view. Since the
|
|
// $$USER_ROLES server parameter is disabled, the find should fail.
|
|
db.auth("user", "pwd");
|
|
|
|
let res = db.runCommand({find: "coll_view", filter: {}});
|
|
assert(
|
|
res["errmsg"].includes("Builtin variable") &&
|
|
res["errmsg"].includes("$$USER_ROLES") &&
|
|
res["errmsg"].includes("as the server is not configured to accept it"),
|
|
"Error message did not match expected message",
|
|
);
|
|
assert.commandFailedWithCode(res, varNotAvailableErr);
|
|
|
|
db.logout();
|
|
}
|
|
|
|
// Start up a mongod, and disable the parameter at runtime.
|
|
const mongodDisabledAtRuntime = MongoRunner.runMongod({auth: ""});
|
|
runTest(mongodDisabledAtRuntime, true);
|
|
MongoRunner.stopMongod(mongodDisabledAtRuntime);
|
|
|
|
// Start up a mongod with the parameter disabled.
|
|
const mongodDisabledAtStartup = MongoRunner.runMongod({auth: "", setParameter: {enableAccessToUserRoles: false}});
|
|
runTest(mongodDisabledAtStartup, false);
|
|
MongoRunner.stopMongod(mongodDisabledAtStartup);
|