[SERVER-39232] Allow commands that do not require auth to refresh sessions Created: 28/Jan/19  Updated: 29/Oct/23  Resolved: 31/Jan/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.0.7, 4.1.8

Type: Task Priority: Major - P3
Reporter: Randolph Tan Assignee: Randolph Tan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
related to SERVER-38432 A session can expire on the server ev... Closed
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0, v3.6
Sprint: Sharding 2019-02-11
Participants:

 Description   

as long as it is running under an authenticated connection



 Comments   
Comment by Ravind Kumar (Inactive) [ 04/Feb/20 ]

renctan just to confirm - pretty much any dbcommand run within a session will refresh the session? FOr the fixed versions. I think I counted ~10 user-facing dbcommands that don't require auth, so if I don't have to worry about that anymore it would make fixing up DOCS-11255 a touch easier.

Comment by Githook User [ 21/Feb/19 ]

Author:

{'name': 'Randolph Tan', 'email': 'randolph@10gen.com', 'username': 'renctan'}

Message: SERVER-39232 Allow commands that do not require auth to refresh sessions

(cherry picked from commit 8d23154ed3e086213c5bd59b3e2fcba96a3cca41)
Branch: v4.0
https://github.com/mongodb/mongo/commit/47fdb3cc40fe966c1a7f52ab883095cacf3a4fb6

Comment by Githook User [ 31/Jan/19 ]

Author:

{'name': 'Randolph Tan', 'email': 'randolph@10gen.com', 'username': 'renctan'}

Message: SERVER-39232 Allow commands that do not require auth to refresh sessions
Branch: master
https://github.com/mongodb/mongo/commit/8d23154ed3e086213c5bd59b3e2fcba96a3cca41

Comment by Robert Stam [ 29/Jan/19 ]

shane.harvey Sounds right.

Comment by Shane Harvey [ 29/Jan/19 ]

In order to use sessions at all, drivers require that only a single user is authenticated:

When using authentication, using a session requires that only a single user be authenticated. Drivers that still support authenticating multiple users at once MAY continue to do so, but MUST NOT allow sessions to be used under such circumstances.

So I don't expect this to break any drivers or applications. rstam do you agree?

Comment by Alyson Cabral (Inactive) [ 29/Jan/19 ]

Who is that in danger of breaking. None of the drivers rely on that behavior, right? Does the shell?

cc: shane.harvey

Comment by Randolph Tan [ 29/Jan/19 ]

alyson.cabral FYI: there is a potential consequence for the backport. The server currently silently allows multiple users to be logged in with lsid in the request as long as the request does not require auth. This is not supposed to be allowed according to driver specs, and even some of our current test violates this. With this change, it will break that behavior since it will need to enforce this spec since it has to be able to select a single user to generate the uid portion of the session id.

Comment by Alyson Cabral (Inactive) [ 29/Jan/19 ]

Yes, renctan let me know how much additional work the backports will be. 

Comment by Rathi Gnanasekaran [ 29/Jan/19 ]

alyson.cabral should this be backported to 3.6+? 

Generated at Thu Feb 08 04:51:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.