[SERVER-36463] Bypass validation of a dummy signatures for isMaster on the unauthenticated connections Created: 06/Aug/18 Updated: 29/Oct/23 Resolved: 13/Aug/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Sharding |
| Affects Version/s: | None |
| Fix Version/s: | 3.6.7, 4.0.2, 4.1.2 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Misha Tyulenev | Assignee: | Misha Tyulenev |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Backport Requested: |
v4.0, v3.6
|
||||||||
| Sprint: | Sharding 2018-08-13, Sharding 2018-08-27 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
isMaster command is a part of an authentication handshake protocol. Hence if the driver used __system user then it will fail on isMaster when trying to auth a connection as the __system gets a dummy signature by design. Suggested Implementation1. Factor out https://github.com/mongodb/mongo/blob/r4.1.1/src/mongo/db/initialize_operation_session_info.cpp#L52-L61 into a separate function hasAuthUsers
3. pass needsSessionAndClusterTimeInit into readRequestMetadata and validate clusterTime if the condition met |
| Comments |
| Comment by Githook User [ 14/Aug/18 ] | |
|
Author: {'username': 'mikety', 'email': 'misha@mongodb.com', 'name': 'Misha Tyulenev'}Message: (cherry picked from commit c764ee142f633b3a88954f336b11633e1baeffdc) | |
| Comment by Githook User [ 14/Aug/18 ] | |
|
Author: {'username': 'mikety', 'email': 'misha@mongodb.com', 'name': 'Misha Tyulenev'}Message: | |
| Comment by Githook User [ 13/Aug/18 ] | |
|
Author: {'name': 'Misha Tyulenev', 'email': 'misha@mongodb.com', 'username': 'mikety'}Message: | |
| Comment by Spencer Jackson [ 06/Aug/18 ] | |
|
OK. To figure out whether the client has authenticated users, you should obtain an AuthorizationSession off the OperationContext, then call something like:
This will return true, if there is one or more user authenticated on the client. You will likely need to move logical time validation after command parsing, when you will learn the name of the command you're running. You will then need to figure out if the command is intended to be used pre-auth. You'll want to ignore the signature on isMaster, saslStart, saslContinue, authenticate, and listCommands. Rather than perform a table lookup, you'll probably want to call theĀ requiresAuth() method exposed on the Command base class. On master and 4.0, this will return false if the command is expected to be used pre-auth. It means this on 3.6 too, but was only checked during logical session ID parsing, and so it wasn't as comprehensively tested, so you may want to double check the command definitions. Also, be advised that a un-authenticated user may run authorized commands if the clinet is using the Localhost Auth Bypass. A client exists in this state when it is connected to localhost, the server has authentication enabled, and no users have been created in the server. |