[SERVER-36463] Bypass validation of a dummy signatures for isMaster on the unauthenticated connections Created: 06/Aug/18  Updated: 29/Oct/23  Resolved: 13/Aug/18

Status: Closed
Project: Core Server
Component/s: Sharding
Affects Version/s: None
Fix Version/s: 3.6.7, 4.0.2, 4.1.2

Type: Improvement Priority: Major - P3
Reporter: Misha Tyulenev Assignee: Misha Tyulenev
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0, v3.6
Sprint: Sharding 2018-08-13, Sharding 2018-08-27
Participants:
Case:

 Description   

isMaster command is a part of an authentication handshake protocol. Hence if the driver used __system user then it will fail on isMaster when trying to auth a connection as the __system gets a dummy signature by design.
Bypassing the dummy signature on isMaster on unauthenticated connection will allow authentication to complete without exception.

Suggested Implementation

1. Factor out https://github.com/mongodb/mongo/blob/r4.1.1/src/mongo/db/initialize_operation_session_info.cpp#L52-L61 into a separate function hasAuthUsers
2. Add

bool needsSessionAndClusterTimeInit = requiresAuth() || hasAuthUsers(); // e.g. for the isMaster on the non-authenticated session will return true.

3. pass needsSessionAndClusterTimeInit into readRequestMetadata and validate clusterTime if the condition met



 Comments   
Comment by Githook User [ 14/Aug/18 ]

Author:

{'username': 'mikety', 'email': 'misha@mongodb.com', 'name': 'Misha Tyulenev'}

Message: SERVER-36463 bypass validation of dummy signatures for isMaster on the unauthenticated connections

(cherry picked from commit c764ee142f633b3a88954f336b11633e1baeffdc)
Branch: v3.6
https://github.com/mongodb/mongo/commit/56cd2418be38c4aeacdb26f95c48ecae7c4189fd

Comment by Githook User [ 14/Aug/18 ]

Author:

{'username': 'mikety', 'email': 'misha@mongodb.com', 'name': 'Misha Tyulenev'}

Message: SERVER-36463 bypass validation of dummy signatures for isMaster on the unauthenticated connections
Branch: v4.0
https://github.com/mongodb/mongo/commit/6b58d6381785ab22d73affef5067a546f7c5c8ed

Comment by Githook User [ 13/Aug/18 ]

Author:

{'name': 'Misha Tyulenev', 'email': 'misha@mongodb.com', 'username': 'mikety'}

Message: SERVER-36463 bypass validation of dummy signatures for isMaster on the unauthenticated connections
Branch: master
https://github.com/mongodb/mongo/commit/c764ee142f633b3a88954f336b11633e1baeffdc

Comment by Spencer Jackson [ 06/Aug/18 ]

OK. To figure out whether the client has authenticated users, you should obtain an AuthorizationSession off the OperationContext, then call something like:

 authorizationSession.getAuthenticatedUserNames().more()

This will return true, if there is one or more user authenticated on the client.

You will likely need to move logical time validation after command parsing, when you will learn the name of the command you're running. You will then need to figure out if the command is intended to be used pre-auth. You'll want to ignore the signature on isMaster, saslStart, saslContinue, authenticate, and listCommands. Rather than perform a table lookup, you'll probably want to call theĀ requiresAuth() method exposed on the Command base class. On master and 4.0, this will return false if the command is expected to be used pre-auth. It means this on 3.6 too, but was only checked during logical session ID parsing, and so it wasn't as comprehensively tested, so you may want to double check the command definitions.

Also, be advised that a un-authenticated user may run authorized commands if the clinet is using the Localhost Auth Bypass. A client exists in this state when it is connected to localhost, the server has authentication enabled, and no users have been created in the server.

Generated at Thu Feb 08 04:43:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.