-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
-
Server Security
-
ALL
-
Security 2023-09-18, Security 2023-10-02, Security 2023-10-16, Security 2024-01-22
The issue is found when we test multi_statement_transaction_command_args.js against an auth enabled replica set. The “native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough” test suite defines such a test environment.
Here is the issue:
In multi_statement_transaction_command_args.js, when executing a transaction operation with "autocommit=true", it expects an InvalidOptions error caused by "Specifying autocommit=true is not allowed". But, if auth is enabled on mongod server, this jstest will get failure on an authorization error "Authorization Session contains more authorization checks then permitted by contract". It’s not a designed behavior.
The investigation of the issue:
This jstest case executes a "find" command and then a "insert" command. The "insert" command gets an error ( "InvalidOptions" which is expected) when calling the "initializeOperationSessionInfo" function before calling "authzSession->startContractTracking() ". Then, the service entry tries to verify the contract by comparing the contract record (unfortunately, the contract record of “find” is used as it has not been cleared) and the defined contract of “insert” command (which is defined in IDL). That caused the issue.
Here is the log
[js_test:multi_statement_transaction_command_args] uncaught exception: Error: command did not fail with any of the following codes [ 72 ] {
[js_test:multi_statement_transaction_command_args] "ok" : 0,
[js_test:multi_statement_transaction_command_args] "errmsg" : "Authorization Session contains more authorization checks then permitted by contract.",
[js_test:multi_statement_transaction_command_args] "code" : 5452401,
[js_test:multi_statement_transaction_command_args] "codeName" : "Location5452401",
[js_test:multi_statement_transaction_command_args] "$clusterTime" : {
[js_test:multi_statement_transaction_command_args] "clusterTime" : Timestamp(1671644315, 4),
[js_test:multi_statement_transaction_command_args] "signature" : {
[js_test:multi_statement_transaction_command_args] "hash" : BinData(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAA="),
[js_test:multi_statement_transaction_command_args] "keyId" : NumberLong(0)
[js_test:multi_statement_transaction_command_args] }
[js_test:multi_statement_transaction_command_args] },
[js_test:multi_statement_transaction_command_args] "operationTime" : Timestamp(1671644315, 4)
[js_test:multi_statement_transaction_command_args] } :
[js_test:multi_statement_transaction_command_args] _getErrorWithCode@src/mongo/shell/utils.js:24:13
[js_test:multi_statement_transaction_command_args] doassert@src/mongo/shell/assert.js:18:14
[js_test:multi_statement_transaction_command_args] _assertCommandFailed@src/mongo/shell/assert.js:832:29
[js_test:multi_statement_transaction_command_args] assert.commandFailedWithCode@src/mongo/shell/assert.js:878:16
[js_test:multi_statement_transaction_command_args] @jstests/core/txns/multi_statement_transaction_command_args.js:214:8
[js_test:multi_statement_transaction_command_args] @jstests/core/txns/multi_statement_transaction_command_args.js:322:2
[js_test:multi_statement_transaction_command_args] failed to load: jstests/core/txns/multi_statement_transaction_command_args.js
The way to reproduce it :
Execute the jstest with a test suite which enable the authentication on server side. For example "buildscripts/resmoke.py run --suite native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough jstests/core/txns/multi_statement_transaction_command_args.js".
- duplicates
-
SERVER-84263 ServiceEntryPointCommon in test mode may try to verify contract for a command before clearing access and privilege checks from the previous command in the same auth session
-
- Closed
-
- related to
-
-
- Closed
-