mirror of
https://github.com/mongodb/mongo.git
synced 2024-12-01 09:32:32 +01:00
SERVER-15521 Make SCRAM-SHA-1 default pw algo in shell
This commit is contained in:
Andreas Nilsson
parent
72ec4fc892
commit
203a02ca8f
@ -239,8 +239,8 @@ class mongod(NullMongod):
|
||||
argv += ['--nopreallocj']
|
||||
if self.kwargs.get('auth'):
|
||||
argv += ['--auth', '--setParameter', 'enableLocalhostAuthBypass=false']
|
||||
authMechanism = self.kwargs.get('authMechanism', 'MONGODB-CR')
|
||||
if authMechanism != 'MONGODB-CR':
|
||||
authMechanism = self.kwargs.get('authMechanism', 'SCRAM-SHA-1')
|
||||
if authMechanism != 'SCRAM-SHA-1':
|
||||
argv += ['--setParameter', 'authenticationMechanisms=' + authMechanism]
|
||||
self.auth = True
|
||||
if self.kwargs.get('keyFile'):
|
||||
|
||||
@ -5,89 +5,111 @@ print("START auth1.js");
|
||||
port = allocatePorts( 1 )[ 0 ];
|
||||
baseName = "jstests_auth_auth1";
|
||||
|
||||
m = startMongod( "--auth", "--port", port, "--dbpath", MongoRunner.dataPath + baseName, "--nohttpinterface", "--bind_ip", "127.0.0.1" );
|
||||
db = m.getDB( "test" );
|
||||
|
||||
// these are used by read-only user
|
||||
mro = new Mongo(m.host);
|
||||
dbRO = mro.getDB( "test" );
|
||||
tRO = dbRO[ baseName ];
|
||||
|
||||
db.getSisterDB("admin").createUser({user: "root", pwd: "root", roles: ["root"]});
|
||||
db.getSisterDB("admin").auth("root", "root");
|
||||
|
||||
t = db[ baseName ];
|
||||
t.drop();
|
||||
|
||||
db.dropAllUsers();
|
||||
db.logout();
|
||||
|
||||
db.getSisterDB( "admin" ).createUser({user: "super", pwd: "super", roles: ["__system"] });
|
||||
db.getSisterDB("admin").auth("super", "super");
|
||||
db.createUser({user: "eliot" , pwd: "eliot", roles: jsTest.basicUserRoles });
|
||||
db.createUser({user: "guest" , pwd: "guest", roles: jsTest.readOnlyUserRoles});
|
||||
db.getSisterDB("admin").logout();
|
||||
|
||||
assert.throws( function() { t.findOne() }, [], "read without login" );
|
||||
|
||||
print("make sure we can't run certain commands w/out auth");
|
||||
var codeUnauthorized = 13;
|
||||
var rslt = db.runCommand({eval : "function() { return 1; }"});
|
||||
assert.eq(rslt.code, codeUnauthorized, tojson(rslt));
|
||||
var rslt = db.runCommand({getLog : "global"});
|
||||
assert.eq(rslt.code, codeUnauthorized, tojson(rslt));
|
||||
|
||||
assert(!db.auth("eliot", "eliot2"), "auth succeeded with wrong password");
|
||||
assert(db.auth("eliot", "eliot"), "auth failed");
|
||||
// Change password
|
||||
db.changeUserPassword("eliot", "eliot2");
|
||||
assert(!db.auth("eliot", "eliot"), "auth succeeded with wrong password");
|
||||
assert(db.auth("eliot", "eliot2"), "auth failed");
|
||||
|
||||
for( i = 0; i < 1000; ++i ) {
|
||||
t.save( {i:i} );
|
||||
authWithMech = function(database, user, pwd, mech) {
|
||||
if (mech == "")
|
||||
return database.auth(user, pwd);
|
||||
else
|
||||
return database.auth({user:user, pwd:pwd, mechanism:mech});
|
||||
}
|
||||
assert.eq( 1000, t.count() , "A1" );
|
||||
assert.eq( 1000, t.find().toArray().length , "A2" );
|
||||
|
||||
db.setProfilingLevel( 2 );
|
||||
t.count();
|
||||
db.setProfilingLevel( 0 );
|
||||
assert.lt( 0 , db.system.profile.find( { user : "eliot@test" } ).count() , "AP1" )
|
||||
run = function( mech ) {
|
||||
var m = startMongod( "--auth", "--port", port, "--dbpath", MongoRunner.dataPath + baseName,
|
||||
"--nohttpinterface", "--bind_ip", "127.0.0.1" );
|
||||
db = m.getDB( "test" );
|
||||
|
||||
var p = { key : { i : true } ,
|
||||
reduce : function(obj,prev) { prev.count++; },
|
||||
initial: { count: 0 }
|
||||
};
|
||||
// these are used by read-only user
|
||||
var mro = new Mongo(m.host);
|
||||
var dbRO = mro.getDB( "test" );
|
||||
var tRO = dbRO[ baseName ];
|
||||
|
||||
assert.eq( 1000, t.group( p ).length , "A5" );
|
||||
db.getSisterDB("admin").createUser({user: "root", pwd: "root", roles: ["root"]});
|
||||
authWithMech(db.getSisterDB("admin"),"root", "root");
|
||||
|
||||
assert( dbRO.auth( "guest", "guest" ), "auth failed 2" );
|
||||
var t = db[ baseName ];
|
||||
t.drop();
|
||||
|
||||
assert.eq( 1000, tRO.count() , "B1" );
|
||||
assert.eq( 1000, tRO.find().toArray().length , "B2" ); // make sure we have a getMore in play
|
||||
assert.commandWorked( dbRO.runCommand( {ismaster:1} ) , "B3" );
|
||||
db.dropAllUsers();
|
||||
db.logout();
|
||||
|
||||
assert.writeError(tRO.save({}));
|
||||
db.getSisterDB( "admin" ).createUser({user: "super", pwd: "super", roles: ["__system"] });
|
||||
db.getSisterDB("admin").auth("super", "super");
|
||||
db.createUser({user: "eliot" , pwd: "eliot", roles: jsTest.basicUserRoles });
|
||||
db.createUser({user: "guest" , pwd: "guest", roles: jsTest.readOnlyUserRoles});
|
||||
db.getSisterDB("admin").logout();
|
||||
|
||||
assert.eq( 1000, tRO.count() , "B6" );
|
||||
assert.throws( function() { t.findOne() }, [], "read without login" );
|
||||
|
||||
assert.eq( 1000, tRO.group( p ).length , "C1" );
|
||||
print("make sure we can't run certain commands w/out auth");
|
||||
var codeUnauthorized = 13;
|
||||
var rslt = db.runCommand({eval : "function() { return 1; }"});
|
||||
assert.eq(rslt.code, codeUnauthorized, tojson(rslt));
|
||||
var rslt = db.runCommand({getLog : "global"});
|
||||
assert.eq(rslt.code, codeUnauthorized, tojson(rslt));
|
||||
|
||||
var p = { key : { i : true } ,
|
||||
reduce : function(obj,prev) { db.jstests_auth_auth1.save( {i:10000} ); prev.count++; },
|
||||
initial: { count: 0 }
|
||||
};
|
||||
assert(!authWithMech(db, "eliot", "eliot2", mech), "auth succeeded with wrong password");
|
||||
assert(authWithMech(db, "eliot", "eliot", mech), "auth failed");
|
||||
// Change password
|
||||
db.changeUserPassword("eliot", "eliot2");
|
||||
assert(!authWithMech(db, "eliot", "eliot", mech), "auth succeeded with wrong password");
|
||||
assert(authWithMech(db, "eliot", "eliot2", mech), "auth failed");
|
||||
|
||||
for( i = 0; i < 1000; ++i ) {
|
||||
t.save( {i:i} );
|
||||
}
|
||||
assert.eq( 1000, t.count() , "A1" );
|
||||
assert.eq( 1000, t.find().toArray().length , "A2" );
|
||||
|
||||
db.setProfilingLevel( 2 );
|
||||
t.count();
|
||||
db.setProfilingLevel( 0 );
|
||||
assert.lt( 0 , db.system.profile.find( { user : "eliot@test" } ).count() , "AP1" )
|
||||
|
||||
var p = { key : { i : true } ,
|
||||
reduce : function(obj,prev) { prev.count++; },
|
||||
initial: { count: 0 }
|
||||
};
|
||||
|
||||
assert.eq( 1000, t.group( p ).length , "A5" );
|
||||
|
||||
assert( dbRO.auth( "guest", "guest" ), "auth failed 2" );
|
||||
|
||||
assert.eq( 1000, tRO.count() , "B1" );
|
||||
assert.eq( 1000, tRO.find().toArray().length , "B2" ); // make sure we have a getMore in play
|
||||
assert.commandWorked( dbRO.runCommand( {ismaster:1} ) , "B3" );
|
||||
|
||||
assert.writeError(tRO.save({}));
|
||||
|
||||
assert.eq( 1000, tRO.count() , "B6" );
|
||||
|
||||
assert.eq( 1000, tRO.group( p ).length , "C1" );
|
||||
|
||||
var p = { key : { i : true } ,
|
||||
reduce : function(obj,prev) { db.jstests_auth_auth1.save( {i:10000} ); prev.count++; },
|
||||
initial: { count: 0 }
|
||||
};
|
||||
|
||||
|
||||
assert.throws( function() { return t.group( p ) }, null , "write reduce didn't fail" );
|
||||
assert.eq( 1000, dbRO.jstests_auth_auth1.count() , "C3" );
|
||||
assert.throws( function() { return t.group( p ) }, null , "write reduce didn't fail" );
|
||||
assert.eq( 1000, dbRO.jstests_auth_auth1.count() , "C3" );
|
||||
|
||||
|
||||
db.getSiblingDB('admin').auth('super', 'super');
|
||||
authWithMech(db.getSisterDB('admin'), 'super', 'super', mech);
|
||||
|
||||
assert.eq( 1000, db.eval( function() { return db[ "jstests_auth_auth1" ].count(); } ) , "D1" );
|
||||
db.eval( function() { db[ "jstests_auth_auth1" ].save( {i:1000} ) } );
|
||||
assert.eq( 1001, db.eval( function() { return db[ "jstests_auth_auth1" ].count(); } ) , "D2" );
|
||||
assert.eq( 1000, db.eval( function() { return db[ "jstests_auth_auth1" ].count(); } ) , "D1" );
|
||||
db.eval( function() { db[ "jstests_auth_auth1" ].save( {i:1000} ) } );
|
||||
assert.eq( 1001, db.eval( function() { return db[ "jstests_auth_auth1" ].count(); } ) , "D2" );
|
||||
|
||||
jsTest.log("About to delete users")
|
||||
printjson(db.getSiblingDB('admin').system.users.findOne())
|
||||
db.getSiblingDB('admin').dropAllUsers()
|
||||
db.getSiblingDB('admin').logout()
|
||||
MongoRunner.stopMongod(port);
|
||||
}
|
||||
|
||||
// Test the default mechanism
|
||||
run()
|
||||
|
||||
// Test MONGODB-CR
|
||||
run('MONGODB-CR')
|
||||
|
||||
print("SUCCESS auth1.js");
|
||||
|
||||
@ -1069,7 +1069,7 @@ DB.prototype.__pwHash = function( nonce, username, pass ) {
|
||||
return hex_md5(nonce + username + _hashPassword(username, pass));
|
||||
}
|
||||
|
||||
DB.prototype._defaultAuthenticationMechanism = "MONGODB-CR";
|
||||
DB.prototype._defaultAuthenticationMechanism = "SCRAM-SHA-1";
|
||||
DB.prototype._defaultGssapiServiceName = null;
|
||||
|
||||
DB.prototype._authOrThrow = function () {
|
||||
|
||||
@ -765,7 +765,7 @@ function appendSetParameterArgs(argArray) {
|
||||
if (jsTest.options().enableTestCommands) {
|
||||
argArray.push.apply(argArray, ['--setParameter', "enableTestCommands=1"]);
|
||||
}
|
||||
if (jsTest.options().authMechanism && jsTest.options().authMechanism != "MONGODB-CR") {
|
||||
if (jsTest.options().authMechanism && jsTest.options().authMechanism != "SCRAM-SHA-1") {
|
||||
var hasAuthMechs = false;
|
||||
for (i in argArray) {
|
||||
if (typeof argArray[i] === 'string' &&
|
||||
|
||||
@ -79,7 +79,7 @@ namespace mongo {
|
||||
|
||||
authenticationOptions.addOptionChaining("authenticationMechanism",
|
||||
"authenticationMechanism", moe::String, "authentication mechanism")
|
||||
.setDefault(moe::Value(std::string("MONGODB-CR")));
|
||||
.setDefault(moe::Value(std::string("SCRAM-SHA-1")));
|
||||
|
||||
authenticationOptions.addOptionChaining("gssapiServiceName", "gssapiServiceName",
|
||||
moe::String,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user