SERVER-82544 Support unsigned token in mongoq simulator and change NTDI dollar tenant jscore passthrough

Author: sophiatll

buildscripts/resmokeconfig/suites/change_streams_multitenant_passthrough.yml

@@ -78,7 +78,7 @@ executor:
         globalThis.testingReplication = true;
         await import('jstests/libs/override_methods/set_read_and_write_concerns.js');
         await import('jstests/libs/override_methods/enable_causal_consistency_without_read_pref.js');
-        await import('jstests/libs/override_methods/inject_dollar_tenant.js');
+        await import('jstests/libs/override_methods/simulate_mongoq.js');
   hooks:
   # The CheckReplDBHash hook waits until all operations have replicated to and have been applied
   # on the secondaries, so we run the ValidateCollections hook after it to ensure we're

buildscripts/resmokeconfig/suites/multitenancy_with_atlas_proxy_jscore_passthrough.yml

@@ -56,6 +56,7 @@ executor:
           tenantId: "636d957b2646ddfaf9b5e13f"
           hashTestNamesForMultitenancy: true
           useSecurityToken: true
+          useResponsePrefixChecking: true
   hooks:
   - class: CheckReplOplogs
   - class: CheckReplDBHash

buildscripts/resmokeconfig/suites/multitenancy_with_mongoq_jscore_passthrough.yml

@@ -8,6 +8,8 @@ selector:
   - jstests/core/**/*.js
   - jstests/aggregation/**/*.js
   exclude_with_any_tags:
+  # This passthrough uses the `simulate_mongoq` override, which some tests are incompatible with.
+  - simulate_mongoq_incompatible
   # Exclude tests which use commands that aren't supported in Serverless.
   - command_not_supported_in_serverless
   # Exclude tests which we know use commands that don't support a security token.
@@ -58,13 +60,13 @@ selector:
   # defaultPrompt() calls buildInfo command which is not allowed with security token.
   - jstests/core/txns/shell_prompt_in_transaction.js
   # Cannot test the user is not allowed to create indexes in config.transactions as the
-  # inject_security_token.js runs command on tenant's config.transactions.
+  # simulate_mongoq.js runs command on tenant's config.transactions.
   - jstests/core/**/create_indexes.js
   # checkLog calls getLog command which is not allowed  with security token.
   - jstests/core/**/doc_validation_options.js
-  # exhaust does not use runCommand (required by the inject_security_token.js override).
+  # exhaust does not use runCommand (required by the simulate_mongoq.js override).
   - jstests/core/**/exhaust.js
-  # This test does not use same connection on same database (required by the inject_security_token.js override).
+  # This test does not use same connection on same database (required by the simulate_mongoq.js override).
   - jstests/core/txns/write_conflicts_with_non_txns.js
   # In a multitenancy environment the catalog will always return tenant-prefixed entries, and the
   # override we use in this suite checks for the absence of a prefix breaking the list_catalog tests.
@@ -74,7 +76,7 @@ selector:
   # Queryable encryption test performs implicit encryption which issues commands that don't
   # include the security token.
   - jstests/core/queryable_encryption/**/*.js
-  # These following tests use benchRun which does not use runCommand (required by the inject_security_token.js override).
+  # These following tests use benchRun which does not use runCommand (required by the simulate_mongoq.js override).
   - jstests/core/**/bench_test1.js
   - jstests/core/**/bench_test2.js
   - jstests/core/**/benchrun_cmd_param_error.js
@@ -95,9 +97,11 @@ executor:
     shell_options:
       eval: |
         globalThis.testingReplication = true;
-        await import('jstests/libs/override_methods/inject_security_token.js');
+        await import('jstests/libs/override_methods/simulate_mongoq.js');
       global_vars:
         TestData: &TestData
+          tenantId: "636d957b2646ddfaf9b5e13a"
+          useSignedSecurityToken: true
           hashTestNamesForMultitenancy: true
           testOnlyValidatedTenancyScopeKey: secret
   hooks:
@@ -111,7 +115,7 @@ executor:
     n: 20
   fixture:
     class: ReplicaSetFixture
-    num_nodes: 3
+    num_nodes: 2
     mongod_options:
       set_parameters:
         enableTestCommands: 1

buildscripts/resmokeconfig/suites/native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough.yml renamed to buildscripts/resmokeconfig/suites/multitenancy_with_mongoq_unsigned_token_jscore_passthrough.yml

@@ -1,21 +1,14 @@
-config_variables:
-- &keyFile jstests/libs/authTestsKey
-- &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly
-- &authOptions
-  authenticationDatabase: local
-  authenticationMechanism: SCRAM-SHA-256
-  password: *keyFileData
-  username: __system
-
 test_kind: js_test
 description: |
   Run test suites with a replica set and multitenancy enabled. Simulate the mongoq behavior
-  by overriding and injecting "$tenant".
+  by overriding and injecting unsigned security token.
 
 selector:
   roots:
   - jstests/core/**/*.js
   exclude_with_any_tags:
+  # This passthrough uses the `simulate_mongoq` override, which some tests are incompatible with.
+  - simulate_mongoq_incompatible
   # Exclude tests which use commands that aren't supported in Serverless.
   - command_not_supported_in_serverless
   # Theses tests expect replication is not enabled.
@@ -25,21 +18,21 @@ selector:
   # Server side javascript (such as $where, $function, $accumulator and map-reduce) is not allowed in Serverless.
   - requires_scripting
   - uses_map_reduce_with_temp_collections
-  # This test suite creates connection with user "__system", so cannot be authenticated again with different user.
+  # Skip any tests that run with auth explicitly.
   - requires_auth
   # Sharding commands are not tenant aware.
   - requires_sharding
   # Columnstore indexes are under development and cannot be used without enabling the feature flag
   - featureFlagColumnstoreIndexes
   exclude_files:
-  # The "exhaust" function does not use runCommand (required by the inject_security_token.js override).
+  # The "exhaust" function does not use runCommand (required by the simulate_mongoq.js override).
   - jstests/core/**/exhaust.js
-  # These following tests use benchRun which does not use runCommand (required by the inject_dollar_tenant.js override).
+  # These following tests use benchRun which does not use runCommand (required by the simulate_mongoq.js override).
   - jstests/core/**/bench_test1.js
   - jstests/core/**/bench_test2.js
   - jstests/core/**/benchrun_cmd_param_error.js
   - jstests/core/**/benchrun_pipeline_updates.js
-  # These tests run "applyOps" command which does not depend on $tenant to pass in tenant information.
+  # These tests run "applyOps" command which does not depend on unsigned security token pass in tenant information.
   # The tenantId is provided in the oplog entries provided to the applyOps command.
   - jstests/core/**/apply_ops*.js
   - jstests/core/**/bypass_doc_validation.js
@@ -58,8 +51,6 @@ selector:
   - jstests/core/views/view_with_invalid_dbname.js
   - jstests/core/views/views_all_commands.js
   - jstests/core/views/invalid_view_prevents_creating_new_view.js
-  # This test expects a specific error message, which does not match the error message generated in authentication mode.
-  - jstests/core/**/commands_with_uuid.js
   # Sharding command "splictVector" is not tenant aware.
   - jstests/core/**/splitvector.js
   # Sharding command "_shardsvrCreateGlobalIndex" is not tenant aware.
@@ -75,7 +66,7 @@ selector:
   # In a multitenancy environment the catalog will always return tenant-prefixed entries, so the
   # list_catalog test will be broken as it checks for non-tenant-prefixed entries.
   - jstests/core/**/list_catalog.js
-  # These tests create a new thread, so $tenant won't be properly injected.
+  # These tests create a new thread, so unsigned security token won't be properly injected.
   - jstests/core/txns/transactions_block_ddl.js
   - jstests/core/txns/write_conflicts_with_non_txns.js
   - jstests/core/txns/kill_op_on_txn_expiry.js
@@ -85,8 +76,14 @@ selector:
   # the requests causes the test to fails due to a mismatch.
   - jstests/core/api//apitest_db_profile_level.js
   # Queryable encryption test requires an internal connection for the keyvault that does not
-  # inject a $tenant.
+  # inject a security token.
   - jstests/core/queryable_encryption/**/*.js
+  # TODO SERVER-82748: make "configureFailPoint" support unsigned security token.
+  - jstests/core/administrative/profile/profile_hide_index.js
+  - jstests/core/failcommand_failpoint.js
+  - jstests/core/comment_field.js
+  # TODO SERVER-81009: fix VTS missing from opCtx for distinct transactions.
+  - jstests/core/txns/view_reads_in_transaction.js
 
 executor:
   archive:
@@ -97,48 +94,26 @@ executor:
       - ValidateCollections
   config:
     shell_options:
-      # In order to use $tenant, connect mongod with user "_system" which can be authenticated with ActionType::useTenant.
-      <<: *authOptions
       eval: |
-        jsTest.authenticate(db.getMongo());
         globalThis.testingReplication = true;
-        await import('jstests/libs/override_methods/inject_dollar_tenant.js');
+        await import('jstests/libs/override_methods/simulate_mongoq.js');
       global_vars:
         TestData: &TestData
           tenantId: "636d957b2646ddfaf9b5e13f"
+          useSignedSecurityToken: false
           hashTestNamesForMultitenancy: true
-          auth: true
-          authMechanism: SCRAM-SHA-256
-          keyFile: *keyFile
-          keyFileData: *keyFileData
-          roleGraphInvalidationIsFatal: true
   hooks:
   # The CheckReplDBHash hook waits until all operations have replicated to and have been applied
   # on the secondaries, so we run the ValidateCollections hook after it to ensure we're
   # validating the entire contents of the collection.
   - class: CheckReplOplogs
-    shell_options:
-      global_vars:
-        TestData: *TestData
-      eval: jsTest.authenticate(db.getMongo())
-      <<: *authOptions
   - class: CheckReplDBHash
-    shell_options:
-      global_vars:
-        TestData: *TestData
-      eval: jsTest.authenticate(db.getMongo())
-      <<: *authOptions
   - class: ValidateCollections
-    shell_options:
-      global_vars:
-        TestData: *TestData
-      eval: jsTest.authenticate(db.getMongo())
-      <<: *authOptions
   - class: CleanEveryN
     n: 20
   fixture:
     class: ReplicaSetFixture
-    num_nodes: 3
+    num_nodes: 2
     mongod_options:
       set_parameters:
         enableTestCommands: 1
@@ -147,7 +122,4 @@ executor:
         featureFlagRequireTenantID: true
         logComponentVerbosity:
           command: 2
-      auth: ''
-      keyFile: *keyFile
       noscripting: ''
-    auth_options: *authOptions

etc/evergreen_yml_components/definitions.yml

@@ -6851,7 +6851,7 @@ tasks:
       use_large_distro: "true"
 
 - <<: *gen_task_template
-  name: native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough_gen
+  name: multitenancy_with_mongoq_unsigned_token_jscore_passthrough_gen
   tags: ["serverless"]
   commands:
   - func: "generate resmoke tasks"

jstests/aggregation/explain_per_stage_exec_stats.js

@@ -6,8 +6,9 @@
  *  @tags: [
  *      # The response to `$changeStream` will contain a db name different from the one requested.
  *      # This expected behavior is incompatible with the prefix matching check between the request
- *      # and reply used by ‘simluate_atlas_proxy’.
+ *      # and reply used by simulate_atlas_proxy and simulate_mongoq overrides.
  *      simulate_atlas_proxy_incompatible,
+ *      simulate_mongoq_incompatible,
  *  ]
  */
 

jstests/core/administrative/builtin_roles_external.js

@@ -1,6 +1,12 @@
 /**
  * Attempting to enumerate roles on the $external database should return an empty set.
- * @tags: [requires_fcv_60,tenant_migration_incompatible]
+ * @tags: [
+ *  requires_fcv_60,
+ *  tenant_migration_incompatible,
+ *  # `rolesInfo` response has empty database name that doesn't work with the response checker of
+ *  # simulate_mongoq override.
+ *  simulate_mongoq_incompatible,
+ * ]
  */
 function assertBuiltinRoles(dbname, shouldHaveRoles) {
     const allRoles = assert

jstests/core/index/geo/geo_big_polygon3.js

@@ -19,6 +19,8 @@
 //   requires_non_retryable_writes,
 //   # This test has statements that do not support non-local read concern.
 //   does_not_support_causal_consistency,
+//   # Uses mapReduce.
+//   requires_scripting,
 // ]
 
 import {FixtureHelpers} from "jstests/libs/fixture_helpers.js";

jstests/core/roles_info.js

@@ -5,6 +5,9 @@
 //   not_allowed_with_security_token,
 //   requires_multi_updates,
 //   requires_non_retryable_commands,
+//   # `rolesInfo` response has empty database name that doesn't work with the response checker of
+//   # simulate_mongoq override.
+//   simulate_mongoq_incompatible,
 // ]
 
 // Setup some sample roles.