Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-72357

Authorization contract record of a command should be cleared once the command is completed

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Server Security
    • ALL
    • Security 2023-09-18, Security 2023-10-02, Security 2023-10-16, Security 2024-01-22

    Description

      The issue is found when we test multi_statement_transaction_command_args.js against an auth enabled replica set. The “native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough” test suite defines such a test environment.

      Here is the issue:
      In multi_statement_transaction_command_args.js, when executing a transaction operation with "autocommit=true", it expects an InvalidOptions error caused by "Specifying autocommit=true is not allowed". But, if auth is enabled on mongod server, this jstest will get failure on an authorization error "Authorization Session contains more authorization checks then permitted by contract". It’s not a designed behavior.

      The investigation of the issue:
      This jstest case executes a "find" command and then a "insert" command. The "insert" command gets an error ( "InvalidOptions" which is expected) when calling the "initializeOperationSessionInfo" function before calling "authzSession->startContractTracking() ". Then, the service entry tries to verify the contract by comparing the contract record (unfortunately, the contract record of “find” is used as it has not been cleared) and the defined contract of “insert” command (which is defined in IDL). That caused the issue.

      Here is the log

      [js_test:multi_statement_transaction_command_args] uncaught exception: Error: command did not fail with any of the following codes [ 72 ] {
      [js_test:multi_statement_transaction_command_args] 	"ok" : 0,
      [js_test:multi_statement_transaction_command_args] 	"errmsg" : "Authorization Session contains more authorization checks then permitted by contract.",
      [js_test:multi_statement_transaction_command_args] 	"code" : 5452401,
      [js_test:multi_statement_transaction_command_args] 	"codeName" : "Location5452401",
      [js_test:multi_statement_transaction_command_args] 	"$clusterTime" : {
      [js_test:multi_statement_transaction_command_args] 		"clusterTime" : Timestamp(1671644315, 4),
      [js_test:multi_statement_transaction_command_args] 		"signature" : {
      [js_test:multi_statement_transaction_command_args] 			"hash" : BinData(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAA="),
      [js_test:multi_statement_transaction_command_args] 			"keyId" : NumberLong(0)
      [js_test:multi_statement_transaction_command_args] 		}
      [js_test:multi_statement_transaction_command_args] 	},
      [js_test:multi_statement_transaction_command_args] 	"operationTime" : Timestamp(1671644315, 4)
      [js_test:multi_statement_transaction_command_args] } :
      [js_test:multi_statement_transaction_command_args] _getErrorWithCode@src/mongo/shell/utils.js:24:13
      [js_test:multi_statement_transaction_command_args] doassert@src/mongo/shell/assert.js:18:14
      [js_test:multi_statement_transaction_command_args] _assertCommandFailed@src/mongo/shell/assert.js:832:29
      [js_test:multi_statement_transaction_command_args] assert.commandFailedWithCode@src/mongo/shell/assert.js:878:16
      [js_test:multi_statement_transaction_command_args] @jstests/core/txns/multi_statement_transaction_command_args.js:214:8
      [js_test:multi_statement_transaction_command_args] @jstests/core/txns/multi_statement_transaction_command_args.js:322:2
      [js_test:multi_statement_transaction_command_args] failed to load: jstests/core/txns/multi_statement_transaction_command_args.js
      

      The way to reproduce it :
      Execute the jstest with a test suite which enable the authentication on server side. For example "buildscripts/resmoke.py run --suite native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough jstests/core/txns/multi_statement_transaction_command_args.js".

      Attachments

        Activity

          People

            sara.golemon@mongodb.com Sara Golemon
            sophia.tan@mongodb.com Sophia Tan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: