diff --git a/buildscripts/smoke.py b/buildscripts/smoke.py index 3480620cfc55b..b0a5bc1023b33 100755 --- a/buildscripts/smoke.py +++ b/buildscripts/smoke.py @@ -167,17 +167,6 @@ def did_mongod_start(self, port=mongod_port, timeout=300): print >> sys.stderr, "timeout starting mongod" return False - def setup_admin_user(self, port=mongod_port): - try: - Connection( "localhost" , int(port), ssl=use_ssl ).admin.command("createUser", "admin", - pwd="password", - roles=["__system"]) - except OperationFailure, e: - if e.message == 'need to login': - pass # SERVER-4225 - else: - raise e - def start(self): global mongod_port global mongod @@ -218,11 +207,13 @@ def start(self): if self.kwargs.get('no_preallocj'): argv += ['--nopreallocj'] if self.kwargs.get('auth'): - argv += ['--auth'] + argv += ['--auth', '--setParameter', 'enableLocalhostAuthBypass=false'] authMechanism = self.kwargs.get('authMechanism', 'MONGODB-CR') if authMechanism != 'MONGODB-CR': argv += ['--setParameter', 'authenticationMechanisms=' + authMechanism] self.auth = True + if self.kwargs.get('keyFile'): + argv += ['--keyFile', self.kwargs.get('keyFile')] if self.kwargs.get('use_ssl') or self.kwargs.get('use_x509'): argv += ['--sslMode', "requireSSL", '--sslPEMKeyFile', 'jstests/libs/server.pem', @@ -237,9 +228,6 @@ def start(self): if not self.did_mongod_start(self.port): raise Exception("Failed to start mongod") - if self.auth: - self.setup_admin_user(self.port) - if self.slave: local = Connection(port=self.port, slave_okay=True).local synced = False @@ -481,14 +469,6 @@ def runTest(test, result): else: raise Bug("fell off in extension case: %s" % path) - if keyFile: - f = open(keyFile, 'r') - keyFileData = re.sub(r'\s', '', f.read()) # Remove all whitespace - f.close() - os.chmod(keyFile, stat.S_IRUSR | stat.S_IWUSR) - else: - keyFileData = None - mongo_test_filename = os.path.basename(path) if 'sharedclient' in path: mongo_test_filename += "-sharedclient" @@ -615,6 +595,7 @@ def run_tests(tests): no_preallocj=no_preallocj, auth=auth, authMechanism=authMechanism, + keyFile=keyFile, use_ssl=use_ssl, use_x509=use_x509).__enter__() else: @@ -632,6 +613,7 @@ def run_tests(tests): no_preallocj=no_preallocj, auth=auth, authMechanism=authMechanism, + keyFile=keyFile, use_ssl=use_ssl, use_x509=use_x509).__enter__() primary = Connection(port=master.port, slave_okay=True); @@ -690,6 +672,7 @@ def run_tests(tests): no_preallocj=no_preallocj, auth=auth, authMechanism=authMechanism, + keyFile=keyFile, use_ssl=use_ssl, use_x509=use_x509).__enter__() @@ -915,7 +898,7 @@ def add_exe(e): def set_globals(options, tests): global mongod_executable, mongod_port, shell_executable, continue_on_failure, small_oplog, small_oplog_rs - global no_journal, set_parameters, set_parameters_mongos, no_preallocj, auth, authMechanism, keyFile, smoke_db_prefix, test_path, start_mongod + global no_journal, set_parameters, set_parameters_mongos, no_preallocj, auth, authMechanism, keyFile, keyFileData, smoke_db_prefix, test_path, start_mongod global use_ssl, use_x509 global file_of_commands_mode global report_file, use_write_commands @@ -965,6 +948,14 @@ def set_globals(options, tests): # default keyFile from jstests/libs/authTestsKey keyFile = os.path.join(mongo_repo, 'jstests', 'libs', 'authTestsKey') + if keyFile: + f = open(keyFile, 'r') + keyFileData = re.sub(r'\s', '', f.read()) # Remove all whitespace + f.close() + os.chmod(keyFile, stat.S_IRUSR | stat.S_IWUSR) + else: + keyFileData = None + # if smoke.py is running a list of commands read from a # file (or stdin) rather than running a suite of js tests file_of_commands_mode = options.File and options.mode == 'files' diff --git a/jstests/sharding/sharding_with_keyfile.js b/jstests/sharding/sharding_with_keyfile_auth.js similarity index 100% rename from jstests/sharding/sharding_with_keyfile.js rename to jstests/sharding/sharding_with_keyfile_auth.js diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 2803ebbea08b8..41642aeec497c 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -144,7 +144,17 @@ namespace mongo { mutablebson::Document cmdToLog(cmdObj, mutablebson::Document::kInPlaceDisabled); redactForLogging(&cmdToLog); log() << " authenticate db: " << dbname << " " << cmdToLog << endl; + UserName user(cmdObj.getStringField("user"), dbname); + if (Command::testCommandsEnabled && + user.getDB() == "admin" && + user.getUser() == internalSecurity.user->getName().getUser()) { + // Allows authenticating as the internal user against the admin database. This is to + // support the auth passthrough test framework on mongos (since you can't use the local + // database on a mongos, so you can't auth as the internal user without this). + user = internalSecurity.user->getName(); + } + std::string mechanism = cmdObj.getStringField("mechanism"); if (mechanism.empty()) { mechanism = "MONGODB-CR"; diff --git a/src/mongo/shell/replsettest.js b/src/mongo/shell/replsettest.js index d76257449a618..cc40a080c15ff 100644 --- a/src/mongo/shell/replsettest.js +++ b/src/mongo/shell/replsettest.js @@ -454,7 +454,6 @@ ReplSetTest.prototype.initiate = function( cfg , initCmd , timeout ) { if ((jsTestOptions().keyFile || jsTestOptions().useX509) && cmdKey == 'replSetInitiate') { master = this.getMaster(); - jsTest.addAuth(master); jsTest.authenticateNodes(this.nodes); } } diff --git a/src/mongo/shell/servers.js b/src/mongo/shell/servers.js index 55db821c17e0a..b8e6977a89eb5 100755 --- a/src/mongo/shell/servers.js +++ b/src/mongo/shell/servers.js @@ -767,9 +767,6 @@ startMongodTest = function (port, dirname, restart, extraOptions ) { conn.name = (useHostname ? getHostName() : "localhost") + ":" + port; if (jsTestOptions().auth || jsTestOptions().keyFile || jsTestOptions().useX509) { - if (!this.shardsvr && !options.replSet && !options.hasOwnProperty("slave") && !restart) { - jsTest.addAuth(conn); - } jsTest.authenticate(conn); } return conn; @@ -824,6 +821,9 @@ function appendSetParameterArgs(argArray) { "authenticationMechanisms=" + jsTest.options().authMechanism]); } } + if (jsTest.options().auth) { + argArray.push.apply(argArray, ['--setParameter', "enableLocalhostAuthBypass=false"]); + } // mongos only options if (programName.endsWith('mongos')) { @@ -933,8 +933,8 @@ runMongoProgram = function() { if ( jsTestOptions().auth ) { args = args.slice(1); args.unshift( progName, - '-u', jsTestOptions().adminUser, - '-p', jsTestOptions().adminPassword, + '-u', jsTestOptions().authUser, + '-p', jsTestOptions().authPassword, '--authenticationMechanism', DB.prototype._defaultAuthenticationMechanism, '--authenticationDatabase=admin' ); @@ -959,8 +959,8 @@ startMongoProgramNoConnect = function() { if ( jsTestOptions().auth ) { args = args.slice(1); args.unshift(progName, - '-u', jsTestOptions().adminUser, - '-p', jsTestOptions().adminPassword, + '-u', jsTestOptions().authUser, + '-p', jsTestOptions().authPassword, '--authenticationMechanism', DB.prototype._defaultAuthenticationMechanism, '--authenticationDatabase=admin'); } diff --git a/src/mongo/shell/servers_misc.js b/src/mongo/shell/servers_misc.js index 868b6dbb3c21e..abb4f8080bbb2 100644 --- a/src/mongo/shell/servers_misc.js +++ b/src/mongo/shell/servers_misc.js @@ -216,9 +216,6 @@ ReplTest.prototype.start = function( master , options , restart, norepl ){ } else { var conn = startMongod.apply(null, o); if (jsTestOptions().keyFile || jsTestOptions().auth || jsTestOptions().useX509) { - if (master) { - jsTest.addAuth(conn); - } jsTest.authenticate(conn); } return conn; diff --git a/src/mongo/shell/shardingtest.js b/src/mongo/shell/shardingtest.js index 3895689f24a10..3c89067b550c5 100644 --- a/src/mongo/shell/shardingtest.js +++ b/src/mongo/shell/shardingtest.js @@ -400,7 +400,6 @@ ShardingTest = function( testName , numShards , verboseLevel , numMongos , other } if (jsTestOptions().keyFile || jsTestOptions().useX509) { - jsTest.addAuth( this.s ); jsTest.authenticate( this._configConnection ); jsTest.authenticateNodes( this._configServers ); jsTest.authenticateNodes( this._mongos ); diff --git a/src/mongo/shell/utils.js b/src/mongo/shell/utils.js index 367b970507cba..2c48a3c24d689 100644 --- a/src/mongo/shell/utils.js +++ b/src/mongo/shell/utils.js @@ -431,37 +431,7 @@ jsTest.randomize = function( seed ) { print( "Random seed for test : " + seed ) } -/** -* Adds a user to the admin DB on the given connection. This is only used for running the test suite -* with authentication enabled. -*/ -jsTest.addAuth = function(conn) { - // Get a connection over localhost so that the first user can be added. - var localconn = conn; - if ( localconn.host.indexOf('localhost') != 0 ) { - print( 'Getting locahost connection instead of ' + conn + ' to add first admin user' ); - var hosts = conn.host.split(','); - for ( var i = 0; i < hosts.length; i++ ) { - hosts[i] = 'localhost:' + hosts[i].split(':')[1]; - } - localconn = new Mongo(hosts.join(',')); - } - print ("Adding admin user on connection: " + localconn); - try { - localconn._skipAuth = true; // Make sure we don't try to authenticate the conn while adding the user - return localconn.getDB('admin').createUser({user: jsTestOptions().adminUser, - pwd: jsTestOptions().adminPassword, - roles: ["__system"]}, - {w: 'majority', wtimeout: 60000}); - } finally { - localconn._skipAuth = false; - } -} - jsTest.authenticate = function(conn) { - if (conn._skipAuth) { // To prevent us from trying to authenticate while in the process of adding user. - return true; - } if (!jsTest.options().auth && !jsTest.options().keyFile && !jsTest.options().useX509) { conn.authenticated = true; return true; @@ -472,13 +442,12 @@ jsTest.authenticate = function(conn) { // Set authenticated to stop an infinite recursion from getDB calling // back into authenticate. conn.authenticated = true; - print ("Authenticating to admin database as " + - jsTestOptions().adminUser + " with mechanism " + + print ("Authenticating as internal " + jsTestOptions().authUser + " user with mechanism " + DB.prototype._defaultAuthenticationMechanism + " on connection: " + conn); conn.authenticated = conn.getDB('admin').auth({ - user: jsTestOptions().adminUser, - pwd: jsTestOptions().adminPassword + user: jsTestOptions().authUser, + pwd: jsTestOptions().authPassword, }); return conn.authenticated; }, "Authenticating connection: " + conn, 5000, 1000);