[SERVER-31116] Initial createUser command with lsid prohibited Created: 16/Sep/17  Updated: 30/Oct/23  Resolved: 27/Sep/17

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: 3.6.0-rc0

Type: Bug Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: Mira Carey
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to PYTHON-1332 Implement Drivers Sessions API Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2017-10-02
Participants:

 Description   

Resolution: When the localhost bypass is in effect, the server ignores "lsid" in all commands and neither requires auth nor creates a session.


Original report:

Question for samantha.ritter or jason.carey.

Current Drivers Session Spec says all commands include "lsid" if the server supports sessions, with the exceptions of auth commands and ismaster. So "createUser" should include "lsid".

However, if the server is started with auth and it has no users, a driver might want to connect without authenticating and issue "createUser". For example, PyMongo's tests detect if the server has started with auth and has no user.

If the initial "createUser" command is issued with "lsid", the server responds with error code 13, "there are no users authenticated".

What should we do?:

  • createUser with "lsid" is permitted if there are no users created yet, but the server ignores "lsid" (creates no server session)
  • The Drivers Session Spec says that createUser omits "lsid" iff the application doesn't explicitly pass a ClientSession object and the connection isn't authenticated

cc rstam.

Also I'm curious what emily.stolfo has done to test the Ruby driver. Did you need to work around this?



 Comments   
Comment by Githook User [ 27/Sep/17 ]

Author:

{'email': 'jcarey@argv.me', 'name': 'Jason Carey', 'username': 'hanumantmk'}

Message: SERVER-31116 localhost bypass for sessions

Change the behavior or logical session use so that passing a lsid when
the localhost bypass is enabled causes the session id to be ignored.
This eases the burden on drivers from having to identify that initial
createUser command and avoid passing a lsid.
Branch: master
https://github.com/mongodb/mongo/commit/a1a12aa3422fa0ff7c169c2d58a879e5a402fac9

Generated at Thu Feb 08 04:26:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.