[BUG] mongodb_user.present state overwrites password even though state is run in test mode (regression) #61348
Labels
Bug
broken, incorrect, or confusing behavior
Regression
The issue is a bug that breaks functionality known to work in previous releases.
severity-high
2nd top severity, seen by most users, causes major problems
Milestone
Description
When a mongodb user has already been created, the mongodb_user.present state will overwrite a users password and roles even though it is run in test mode (either via state.test or test=True).
Setup
Create a mongodb user with the mongodb_user.present state like this:
sls/mongodb/user.sls
The user will be created.
Now change the password in the user.sls state:
Then run the test state to see what should happen:
And e voila, the password is changed.
Steps to Reproduce the behavior
There are no debug logs, just info:
Expected behavior
When running with
state.test
ortest=True
, nothing should happen.Versions Report
Additional context
The issue seems to be here: https://github.com/saltstack/salt/blob/master/salt/states/mongodb_user.py#L133
No check for
__opts__["test"]
is done like for when a new user is supposed to be created: https://github.com/saltstack/salt/blob/master/salt/states/mongodb_user.py#L133So the module
mongodb.user_create
is run which in turn runs an add_user on the mdb connection and that updates passwords and roles.I do recall this not always being the case and looking in the develop branch, there is a check for
__opts__['test']
: https://github.com/saltstack/salt/blob/develop/salt/states/mongodb_user.py#L124This has caused a production outage in our case, because we ran the test state while our secret management system wasn't available (because of #61191) so our state generated all new passwords and updated all mongodb users with the new passwords even though we thought we only ran in test mode.
The text was updated successfully, but these errors were encountered: