[SERVER-25526] Merge views_authz.js into auth commands library Created: 10/Aug/16  Updated: 19/Nov/16  Resolved: 06/Sep/16

Status: Closed
Project: Core Server
Component/s: Querying, Security
Affects Version/s: None
Fix Version/s: 3.3.14

Type: Task Priority: Major - P3
Reporter: Kyle Suarez Assignee: Kyle Suarez
Resolution: Done Votes: 0
Labels: read-only-views
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-24724 Views works with authorization Closed
depends on SERVER-24769 Support $lookup and $graphLookup with... Closed
Related
related to SERVER-25983 Add views getMore/killCursors authz t... Closed
Backwards Compatibility: Fully Compatible
Sprint: Integration 2016-08-29, Integration 2016-09-19
Participants:

 Description   

The views_authz.js tests should be merged into the auth commands library and the file removed. However, it's currently not possible because jstests/auth/commands_builtin_roles.js runs tests with subsets of the privileges specified in individual testcases, and the views authz special cases require an exact match. We should add an expectAuthzFailExact flag for an individual testcase and update the test runner appropriately.

In addition, once SERVER-24769 is complete, we can expand our authz test coverage by testing a successful $lookup/$graphLookup (directly and via $facet) on a series of views for which the user is authorized.



 Comments   
Comment by Githook User [ 06/Sep/16 ]

Author:

{u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}

Message: SERVER-25526 add views authz tests to auth commands lib

Adds test infrastructure to handle special-case behavior for views when a
privilege specifies "removeWhenTestingAuthzFailure: false".

Also fixes SERVER-25825.
Branch: master
https://github.com/mongodb/mongo/commit/1f389ce467330cda1171d2a04bd0e0b2890aaf8d

Comment by Kyle Suarez [ 25/Aug/16 ]

We should also do a sweep of jstests/views/views_all_commands.js for this ticket and remove any lingering "TODO" comments for security-related commands. For example, we don't have to test grantPrivileges* commands for a privilege on a views resource since that is adequately tested in the auth commands lib.

Generated at Thu Feb 08 04:09:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.