[SERVER-38557] Make auth passthrough suites use users with custom roles Created: 11/Dec/18  Updated: 02/Jan/19  Resolved: 02/Jan/19

Status: Closed
Project: Core Server
Component/s: Testing Infrastructure
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-38556 Decide what to do with transaction re... Closed
Related
related to SERVER-36137 Remove unnecessary AuthorizationManag... Closed
is related to SERVER-38556 Decide what to do with transaction re... Closed
Sprint: Security 2018-12-31, Security 2019-01-14
Participants:

 Description   

Periodically, new commands are introduced which can appear in Oplog entries. When the authorization subsystem sees an entry which applies to the admin database with a command it doesn't recognize, it doesn't know whether its internal caches are in sync with the on-disk representation of data. When this occurs, the authorization subsystem must disable custom roles.

We should modify our auth passthrough suites to use a custom user which obtains the __system role indirectly via a custom role. When a new command is written which appears in the oplog, this test will instantly fail.



 Comments   
Comment by Spencer Jackson [ 13/Dec/18 ]

An alternative might be to make the server invariant in our testing environment while entering the state where rolegraph resolution is degraded.

Generated at Thu Feb 08 04:49:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.