[SERVER-39232] Allow commands that do not require auth to refresh sessions Created: 28/Jan/19 Updated: 29/Oct/23 Resolved: 31/Jan/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.0.7, 4.1.8 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Randolph Tan | Assignee: | Randolph Tan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Backport Requested: |
v4.0, v3.6
|
||||||||||||||||
| Sprint: | Sharding 2019-02-11 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
as long as it is running under an authenticated connection |
| Comments |
| Comment by Ravind Kumar (Inactive) [ 04/Feb/20 ] |
|
renctan just to confirm - pretty much any dbcommand run within a session will refresh the session? FOr the fixed versions. I think I counted ~10 user-facing dbcommands that don't require auth, so if I don't have to worry about that anymore it would make fixing up |
| Comment by Githook User [ 21/Feb/19 ] |
|
Author: {'name': 'Randolph Tan', 'email': 'randolph@10gen.com', 'username': 'renctan'}Message: (cherry picked from commit 8d23154ed3e086213c5bd59b3e2fcba96a3cca41) |
| Comment by Githook User [ 31/Jan/19 ] |
|
Author: {'name': 'Randolph Tan', 'email': 'randolph@10gen.com', 'username': 'renctan'}Message: |
| Comment by Robert Stam [ 29/Jan/19 ] |
|
shane.harvey Sounds right. |
| Comment by Shane Harvey [ 29/Jan/19 ] |
|
In order to use sessions at all, drivers require that only a single user is authenticated:
So I don't expect this to break any drivers or applications. rstam do you agree? |
| Comment by Alyson Cabral (Inactive) [ 29/Jan/19 ] |
|
Who is that in danger of breaking. None of the drivers rely on that behavior, right? Does the shell? cc: shane.harvey |
| Comment by Randolph Tan [ 29/Jan/19 ] |
|
alyson.cabral FYI: there is a potential consequence for the backport. The server currently silently allows multiple users to be logged in with lsid in the request as long as the request does not require auth. This is not supposed to be allowed according to driver specs, and even some of our current test violates this. With this change, it will break that behavior since it will need to enforce this spec since it has to be able to select a single user to generate the uid portion of the session id. |
| Comment by Alyson Cabral (Inactive) [ 29/Jan/19 ] |
|
Yes, renctan let me know how much additional work the backports will be. |
| Comment by Rathi Gnanasekaran [ 29/Jan/19 ] |
|
alyson.cabral should this be backported to 3.6+? |