Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-54216

killAllSessions produces authorization error while killing own sessions

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Won't Fix
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Server Security
    • ALL
    • Security 2021-03-08, Security 2021-03-22, Security 2021-04-05

      https://docs.mongodb.com/manual/reference/command/killAllSessions/ says:

      > If the deployment enforces authentication/authorization, you must have the killAnySession to run the killAllSessions command.

      > Users can kill their own sessions even without killAnySession privilege action.

      I wrote a test program that created an unprivileged user and tried to kill this user's session:

      require 'mongo'

ac = Mongo::Client.new('mongodb://dev:dev@localhost:14430/admin')

ac.database.users.remove('u') rescue nil
ac.database.users.create('u', password: 'u', roles: [])

c = Mongo::Client.new('mongodb://u:u@localhost:14430/test?authSource=admin')

c.command(killAllSessions: [{user: 'u', db: 'admin'}])

      This produced an error:

      /home/w/.rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/mongo-2.14.0/lib/mongo/operation/result.rb:343:in `raise_operation_failure': not authorized on test to execute command { killAllSessions: [ { user: "u", db: "admin" } ], $db: "test", $readPreference: { mode: "primary" }, $clusterTime: { clusterTime: Timestamp(1612295875, 2), signature: { hash: BinData(0, FC221A2F292297A116C77126E8DFBB14A4A232EC), keyId: 6924477619006078979 } }, lsid: { id: UUID("bbd5742e-9f38-4137-b644-c94371244b69") } } (13) (on localhost:14430) (Mongo::Error::OperationFailure)

      It seems the server is not behaving as documented by not allowing the user to kill their own sessions.

      The session killing is part of unified test runner requirements (https://github.com/mongodb/specifications/blob/master/source/unified-test-format/unified-test-format.rst). On Atlas the killAllSession privilege is not granted to any user and is not grantable (https://jira.mongodb.org/browse/DOCSP-14305), and with the user being unable to kill their own sessions per this ticket the unified test runner cannot be executed on Atlas at all it seems (as part of https://jira.mongodb.org/browse/DRIVERS-828).

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: