|
I took a look at this ticket and wanted to leave a bit more context. authutil.asCluster() isn't particularly useful to ShardingTest's initialization because there won't be any users for the client to authenticate as. The following kind of change results in an error about the "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US" user not existing. This is why the sharding_with_x509.js test creates that user immediately before running the index consistency checks as part of shutting down the sharded cluster.
// Index consistency check during shutdown needs a privileged user to auth as.
|
const x509User = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
|
st.s.getDB('$external').createUser({user: x509User, roles: [{role: '__system', db: 'admin'}]});
|
diff --git a/src/mongo/shell/shardingtest.js b/src/mongo/shell/shardingtest.js
|
index 63f57bc0cc..99ac2745dd 100644
|
--- a/src/mongo/shell/shardingtest.js
|
+++ b/src/mongo/shell/shardingtest.js
|
@@ -1834,7 +1834,7 @@ var ShardingTest = function(params) {
|
{_flushRoutingTableCacheUpdates: "config.system.sessions"}));
|
};
|
|
- if (keyFileLocal) {
|
+ if (keyFileLocal || x509AuthRequired) {
|
authutil.asCluster(authConn, keyFileLocal, () => execFlushRT(conn));
|
} else {
|
execFlushRT(conn);
|
@@ -1842,7 +1842,7 @@ var ShardingTest = function(params) {
|
};
|
|
// TODO SERVER-45108: Enable support for x509 auth for _flushRoutingTableCacheUpdates.
|
- if (!otherParams.manualAddShard && !x509AuthRequired) {
|
+ if (!otherParams.manualAddShard) {
|
for (let i = 0; i < numShards; i++) {
|
const keyFileLocal =
|
(otherParams.shards && otherParams.shards[i] && otherParams.shards[i].keyFile)
|
Instead, the pattern in ReplSetTest with runFnWithAuthOnPrimary() would be to create a separate mongo shell process which authenticates as a member of the cluster (i.e. the same way the mongod and mongos processes authenticate to each other) and runs any initialization commands. A separate mongo shell process must be used to supply a different --tlsCertificateKeyFile (aka --sslPEMKeyFile) than the one specified in the ssl.yml test suite file.
diff --git a/src/mongo/shell/shardingtest.js b/src/mongo/shell/shardingtest.js
|
index 63f57bc0cc..8e324c9dab 100644
|
--- a/src/mongo/shell/shardingtest.js
|
+++ b/src/mongo/shell/shardingtest.js
|
@@ -1836,13 +1836,31 @@ var ShardingTest = function(params) {
|
|
if (keyFileLocal) {
|
authutil.asCluster(authConn, keyFileLocal, () => execFlushRT(conn));
|
+ } else if (x509AuthRequired) {
|
+ const exitCode = _runMongoProgram(
|
+ ...["mongo",
|
+ conn.host,
|
+ "--tls",
|
+ "--tlsAllowInvalidHostnames",
|
+ "--tlsCertificateKeyFile",
|
+ conn.fullOptions.tlsCertificateKeyFile ? conn.fullOptions.tlsCertificateKeyFile
|
+ : conn.fullOptions.sslPEMKeyFile,
|
+ "--tlsCAFile",
|
+ conn.fullOptions.tlsCAFile ? conn.fullOptions.tlsCAFile
|
+ : conn.fullOptions.sslCAFile,
|
+ "--authenticationDatabase=$external",
|
+ "--authenticationMechanism=MONGODB-X509",
|
+ "--eval",
|
+ `(${execFlushRT.toString()})(db.getMongo())`,
|
+ ]);
|
+ assert.eq(0, exitCode, "parallel shell for x509 auth failed");
|
} else {
|
execFlushRT(conn);
|
}
|
};
|
|
// TODO SERVER-45108: Enable support for x509 auth for _flushRoutingTableCacheUpdates.
|
- if (!otherParams.manualAddShard && !x509AuthRequired) {
|
+ if (!otherParams.manualAddShard) {
|
for (let i = 0; i < numShards; i++) {
|
const keyFileLocal =
|
(otherParams.shards && otherParams.shards[i] && otherParams.shards[i].keyFile)
|
|