Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-54216

killAllSessions produces authorization error while killing own sessions

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Won't Fix
    • None
    • None
    • None
    • None
    • ALL
    • Security 2021-03-08, Security 2021-03-22, Security 2021-04-05

    Description

      https://docs.mongodb.com/manual/reference/command/killAllSessions/ says:

      > If the deployment enforces authentication/authorization, you must have the killAnySession to run the killAllSessions command.

      > Users can kill their own sessions even without killAnySession privilege action.

      I wrote a test program that created an unprivileged user and tried to kill this user's session:

      require 'mongo'
       
      ac = Mongo::Client.new('mongodb://dev:dev@localhost:14430/admin')
       
      ac.database.users.remove('u') rescue nil
      ac.database.users.create('u', password: 'u', roles: [])
       
      c = Mongo::Client.new('mongodb://u:u@localhost:14430/test?authSource=admin')
       
      c.command(killAllSessions: [{user: 'u', db: 'admin'}])
      

      This produced an error:

      /home/w/.rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/mongo-2.14.0/lib/mongo/operation/result.rb:343:in `raise_operation_failure': not authorized on test to execute command { killAllSessions: [ { user: "u", db: "admin" } ], $db: "test", $readPreference: { mode: "primary" }, $clusterTime: { clusterTime: Timestamp(1612295875, 2), signature: { hash: BinData(0, FC221A2F292297A116C77126E8DFBB14A4A232EC), keyId: 6924477619006078979 } }, lsid: { id: UUID("bbd5742e-9f38-4137-b644-c94371244b69") } } (13) (on localhost:14430) (Mongo::Error::OperationFailure)
      

      It seems the server is not behaving as documented by not allowing the user to kill their own sessions.

      The session killing is part of unified test runner requirements (https://github.com/mongodb/specifications/blob/master/source/unified-test-format/unified-test-format.rst). On Atlas the killAllSession privilege is not granted to any user and is not grantable (https://jira.mongodb.org/browse/DOCSP-14305), and with the user being unable to kill their own sessions per this ticket the unified test runner cannot be executed on Atlas at all it seems (as part of https://jira.mongodb.org/browse/DRIVERS-828).

      Attachments

        Issue Links

          Activity

            People

              backlog-server-security Backlog - Security Team
              oleg.pudeyev@mongodb.com Oleg Pudeyev
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: