Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-54216

killAllSessions produces authorization error while killing own sessions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Operating System:
      ALL
    • Sprint:
      Security 2021-03-08, Security 2021-03-22, Security 2021-04-05

      Description

      https://docs.mongodb.com/manual/reference/command/killAllSessions/ says:

      > If the deployment enforces authentication/authorization, you must have the killAnySession to run the killAllSessions command.

      > Users can kill their own sessions even without killAnySession privilege action.

      I wrote a test program that created an unprivileged user and tried to kill this user's session:

      require 'mongo'
       
      ac = Mongo::Client.new('mongodb://dev:dev@localhost:14430/admin')
       
      ac.database.users.remove('u') rescue nil
      ac.database.users.create('u', password: 'u', roles: [])
       
      c = Mongo::Client.new('mongodb://u:u@localhost:14430/test?authSource=admin')
       
      c.command(killAllSessions: [{user: 'u', db: 'admin'}])
      

      This produced an error:

      /home/w/.rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/mongo-2.14.0/lib/mongo/operation/result.rb:343:in `raise_operation_failure': not authorized on test to execute command { killAllSessions: [ { user: "u", db: "admin" } ], $db: "test", $readPreference: { mode: "primary" }, $clusterTime: { clusterTime: Timestamp(1612295875, 2), signature: { hash: BinData(0, FC221A2F292297A116C77126E8DFBB14A4A232EC), keyId: 6924477619006078979 } }, lsid: { id: UUID("bbd5742e-9f38-4137-b644-c94371244b69") } } (13) (on localhost:14430) (Mongo::Error::OperationFailure)
      

      It seems the server is not behaving as documented by not allowing the user to kill their own sessions.

      The session killing is part of unified test runner requirements (https://github.com/mongodb/specifications/blob/master/source/unified-test-format/unified-test-format.rst). On Atlas the killAllSession privilege is not granted to any user and is not grantable (https://jira.mongodb.org/browse/DOCSP-14305), and with the user being unable to kill their own sessions per this ticket the unified test runner cannot be executed on Atlas at all it seems (as part of https://jira.mongodb.org/browse/DRIVERS-828).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              backlog-server-security Backlog - Security Team
              Reporter:
              oleg.pudeyev Oleg Pudeyev
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: