Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-36463

Bypass validation of a dummy signatures for isMaster on the unauthenticated connections

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.7, 4.0.2, 4.1.2
    • Component/s: Sharding
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.0, v3.6
    • Sprint:
      Sharding 2018-08-13, Sharding 2018-08-27
    • Case:

      Description

      isMaster command is a part of an authentication handshake protocol. Hence if the driver used __system user then it will fail on isMaster when trying to auth a connection as the __system gets a dummy signature by design.
      Bypassing the dummy signature on isMaster on unauthenticated connection will allow authentication to complete without exception.

      Suggested Implementation

      1. Factor out https://github.com/mongodb/mongo/blob/r4.1.1/src/mongo/db/initialize_operation_session_info.cpp#L52-L61 into a separate function hasAuthUsers
      2. Add

      bool needsSessionAndClusterTimeInit = requiresAuth() || hasAuthUsers(); // e.g. for the isMaster on the non-authenticated session will return true.
      

      3. pass needsSessionAndClusterTimeInit into readRequestMetadata and validate clusterTime if the condition met

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: