While investigating X509 auth failures for PHPC-1077, I noticed that libmongoc appears to be appending session IDs to authenticate commands, which directly conflicts with the driver sessions specification. Consider the following trace:
[2018-01-04T15:45:01.441140+00:00] cluster: TRACE > ENTRY: _mongoc_cluster_auth_node():1262 [2018-01-04T15:45:01.441156+00:00] cluster: TRACE > TRACE: _mongoc_cluster_auth_node_x509():1024 X509: got username from URI [2018-01-04T15:45:01.441174+00:00] mongoc: TRACE > ENTRY: mongoc_server_description_handle_ismaster():493 [2018-01-04T15:45:01.441191+00:00] mongoc: TRACE > EXIT: mongoc_server_description_handle_ismaster():654 [2018-01-04T15:45:01.441205+00:00] mongoc: TRACE > ENTRY: mongoc_cmd_parts_assemble():564 [2018-01-04T15:45:01.441216+00:00] mongoc: TRACE > TRACE: mongoc_cmd_parts_assemble():592 Preparing 'authenticate' [2018-01-04T15:45:01.441240+00:00] client: TRACE > ENTRY: mongoc_client_start_session():1150 [2018-01-04T15:45:01.441252+00:00] mongoc: TRACE > ENTRY: _mongoc_topology_pop_server_session():1288 [2018-01-04T15:45:01.441263+00:00] mongoc: TRACE > ENTRY: _mongoc_server_session_new():222 [2018-01-04T15:45:01.441289+00:00] mongoc: TRACE > EXIT: _mongoc_server_session_new():240 [2018-01-04T15:45:01.441310+00:00] mongoc: TRACE > EXIT: _mongoc_topology_pop_server_session():1335 [2018-01-04T15:45:01.441322+00:00] mongoc: TRACE > ENTRY: _mongoc_client_session_new():291 [2018-01-04T15:45:01.441330+00:00] mongoc: TRACE > EXIT: _mongoc_client_session_new():308 [2018-01-04T15:45:01.441339+00:00] client: TRACE > EXIT: mongoc_client_start_session():1168 [2018-01-04T15:45:01.441352+00:00] mongoc: TRACE > EXIT: mongoc_cmd_parts_assemble():704 [2018-01-04T15:45:01.441369+00:00] stream: TRACE > ENTRY: _mongoc_stream_writev_full():502 [2018-01-04T15:45:01.441378+00:00] stream: TRACE > ENTRY: mongoc_stream_writev():150 [2018-01-04T15:45:01.441389+00:00] stream: TRACE > TRACE: mongoc_stream_writev():162 writev = 0x25ce4b0 [7] [2018-01-04T15:45:01.441416+00:00] stream: TRACE > 00000: fd 00 00 00 01 00 00 00 00 00 00 00 dd 07 00 00 . . . . . . . . . . . . . . . . [2018-01-04T15:45:01.441443+00:00] stream: TRACE > 00010: 00 00 00 00 00 e8 00 00 00 10 61 75 74 68 65 6e . . . . . . . . . . a u t h e n [2018-01-04T15:45:01.441471+00:00] stream: TRACE > 00020: 74 69 63 61 74 65 00 01 00 00 00 02 6d 65 63 68 t i c a t e . . . . . . m e c h [2018-01-04T15:45:01.441499+00:00] stream: TRACE > 00030: 61 6e 69 73 6d 00 0d 00 00 00 4d 4f 4e 47 4f 44 a n i s m . . . . . M O N G O D [2018-01-04T15:45:01.441527+00:00] stream: TRACE > 00040: 42 2d 58 35 30 39 00 02 75 73 65 72 00 43 00 00 B - X 5 0 9 . . u s e r . C . . [2018-01-04T15:45:01.441555+00:00] stream: TRACE > 00050: 00 43 3d 55 53 2c 53 54 3d 4e 65 77 20 59 6f 72 . C = U S , S T = N e w Y o r [2018-01-04T15:45:01.441583+00:00] stream: TRACE > 00060: 6b 2c 4c 3d 4e 65 77 20 59 6f 72 6b 20 43 69 74 k , L = N e w Y o r k C i t [2018-01-04T15:45:01.441611+00:00] stream: TRACE > 00070: 79 2c 4f 3d 4d 6f 6e 67 6f 44 42 2c 4f 55 3d 4b y , O = M o n g o D B , O U = K [2018-01-04T15:45:01.441639+00:00] stream: TRACE > 00080: 65 72 6e 65 6c 55 73 65 72 2c 43 4e 3d 63 6c 69 e r n e l U s e r , C N = c l i [2018-01-04T15:45:01.441663+00:00] stream: TRACE > 00090: 65 6e 74 00 02 24 64 62 00 0a 00 00 00 24 65 78 e n t . . $ d b . . . . . $ e x [2018-01-04T15:45:01.441691+00:00] stream: TRACE > 000a0: 74 65 72 6e 61 6c 00 03 24 72 65 61 64 50 72 65 t e r n a l . . $ r e a d P r e [2018-01-04T15:45:01.441717+00:00] stream: TRACE > 000b0: 66 65 72 65 6e 63 65 00 20 00 00 00 02 6d 6f 64 f e r e n c e . . . . . m o d [2018-01-04T15:45:01.441742+00:00] stream: TRACE > 000c0: 65 00 11 00 00 00 70 72 69 6d 61 72 79 50 72 65 e . . . . . p r i m a r y P r e [2018-01-04T15:45:01.441768+00:00] stream: TRACE > 000d0: 66 65 72 72 65 64 00 00 03 6c 73 69 64 00 1e 00 f e r r e d . . . l s i d . . . [2018-01-04T15:45:01.441790+00:00] stream: TRACE > 000e0: 00 00 05 69 64 00 10 00 00 00 04 29 81 0f ea 8a . . . i d . . . . . . ) . . . . [2018-01-04T15:45:01.441810+00:00] stream: TRACE > 000f0: b1 4c ab a4 d8 4d d0 a5 ac 13 6a 00 00 . L . . . M . . . . j . .
This causes X509 authentication to fail with a "there are no users authenticated" error message:
[2018-01-04T15:45:01.472077+00:00] stream: TRACE > TRACE: mongoc_stream_readv():237 readv = 0x7ffd0d23c9c0 [1] [2018-01-04T15:45:01.472097+00:00] stream: TRACE > 00000: 4b 00 00 00 01 00 00 00 dd 07 00 00 00 00 00 00 K . . . . . . . . . . . . . . . [2018-01-04T15:45:01.472117+00:00] stream: TRACE > 00010: 00 63 00 00 00 01 6f 6b 00 00 00 00 00 00 00 00 . c . . . . o k . . . . . . . . [2018-01-04T15:45:01.472139+00:00] stream: TRACE > 00020: 00 02 65 72 72 6d 73 67 00 21 00 00 00 74 68 65 . . e r r m s g . ! . . . t h e [2018-01-04T15:45:01.472162+00:00] stream: TRACE > 00030: 72 65 20 61 72 65 20 6e 6f 20 75 73 65 72 73 20 r e a r e n o u s e r s [2018-01-04T15:45:01.472184+00:00] stream: TRACE > 00040: 61 75 74 68 65 6e 74 69 63 61 74 65 64 00 10 63 a u t h e n t i c a t e d . . c [2018-01-04T15:45:01.472205+00:00] stream: TRACE > 00050: 6f 64 65 00 0d 00 00 00 02 63 6f 64 65 4e 61 6d o d e . . . . . . c o d e N a m [2018-01-04T15:45:01.472227+00:00] stream: TRACE > 00060: 65 00 0d 00 00 00 55 6e 61 75 74 68 6f 72 69 7a e . . . . . U n a u t h o r i z [2018-01-04T15:45:01.472239+00:00] stream: TRACE > 00070: 65 64 00 00 e d . .
Modifying _mongoc_cluster_auth_node_x509() to prohibit addition of an lsid field does appear to solve the issue. I'm at a loss for why the problem manifests itself this way, or why other authentication mechanisms in our test suite did not appear to be affected by this issue.
- causes
-
CDRIVER-2506 getMore doesn't always use same implicit session as find/aggregate/etc.
-
- Closed
-
- is caused by
-
CDRIVER-2192 Implement Driver Sessions API
-
- Closed
-
- is depended on by
-
PHPC-1077 Fix X509 test failures with libmongoc 1.9.0 and MongoDB 3.6
-
- Closed
-
- related to
-
-
- Closed
-