[SERVER-49165] endSessions command in Client.Disconnect causes an authorization failure for an unauthed connection on a host that requires authentication - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor - P4
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.7.0, 4.4.2, 4.2.11, 4.0.22
Component/s: None
Labels:
None

Backwards Compatibility:
Minor Change
Backport Requested:

v4.4, v4.2, v4.0
Sprint:
Security 2020-08-10, Security 2020-08-24, Security 2020-09-07
Case:

Description

Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession).

This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective.

Attachments

Issue Links

is duplicated by

SERVER-50211 Getting issue "ACCESS [conn298810] Unauthorized: not authorized on admin to execute command { endSessions: [ { id: UUID("acb7b7b0-5cfd-48d9-ae40-25e20d1ead63") } ], $db: "admin" }"

Closed

Activity

People

Assignee:: Sara Golemon

Reporter:: Julia Ruddy

Participants:: Divjot Arora, Githook User, Julia Ruddy, Sara Golemon, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: May 21 2020 05:15:00 PM UTC

Updated:: May 09 2021 05:48:35 AM UTC

Resolved:: Aug 25 2020 06:05:49 PM UTC