[SERVER-64029] Prohibit impersonating multiple users Created: 28/Feb/22  Updated: 29/Oct/23  Resolved: 09/Jan/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.3.0-rc0

Type: Task Priority: Major - P3
Reporter: Sara Golemon Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Related
related to SERVER-72448 Remove legacy impersonated users Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2022-03-07, Security 2022-11-14, Security 2022-11-28, Security 2022-12-12, Security 2022-12-26, Security 2023-01-09
Participants:

 Comments   
Comment by Githook User [ 06/Jan/23 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@mongodb.com', 'username': 'shreyaskal'}

Message: SERVER-64029 Prohibit impersonating multiple users
Branch: master
https://github.com/mongodb/mongo/commit/0e907cfd675d2ecfd36b12f910aeea5ca30f042d

Comment by Githook User [ 06/Jan/23 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@mongodb.com', 'username': 'shreyaskal'}

Message: SERVER-64029 Prohibit impersonating multiple users
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/292bb1cae09c86ec0d15fae50683cb2eada3d37f

Comment by Shreyas Kalyan [ 07/Dec/22 ]

varun.ravichandran@mongodb.com that's a great question, but since the work for this was already mostly underway, and since there is not really anything controversial about this ticket, I think we can just do it as a one off, rather than as part of an epic.

Comment by Spencer Jackson [ 05/Dec/22 ]

shreyas.kalyan@mongodb.com sara.golemon@mongodb.com I think there are two relevant, user facing changes that we might want to consider regarding impersonation.

In the impersonated user metadata, we store the list of users that mongos is impersonating, and we propagate this information to the shard servers for various purposes. This doesn't really need to be a list. Fortunately, we reject any metadata payloads which are given to us but contain more than one user.

The consequences of this are pretty minor, but users show up as array in both slow query logs and

[js_test:mr_and_agg_versioning] c20042| 2022-12-03T06:25:33.315+00:00 I  COMMAND  51803   [conn22] "Slow query","attr":{"type":"command","ns":"admin.$cmd","appName":"MongoDB Shell","command":{"_configsvrAddShard":"mr_and_agg_versioning-rs0/ip-10-122-33-129.ec2.internal:20040","writeConcern":{"w":"majority","wtimeout":60000,"provenance":"implicitDefault"},"lsid":{"id":{"$uuid":"f351f335-6508-41f1-a428-24bbf7c0c58c"},"uid":{"$binary":{"base64":"u4nTF1+wmByGgmwndZCCo3FgRx9gUEtGEkFRhsYwq3A=","subType":"0"}}},"tracking_info":{"operId":{"$oid":"638aebdd3dcc8d9d998b9972"},"operName":"","parentOperId":"638aebdd3dcc8d9d998b9971"},"$replData":1,"$clusterTime":{"clusterTime":{"$timestamp":{"t":1670048732,"i":5}},"signature":{"hash":{"$binary":{"base64":"AAAAAAAAAAAAAAAAAAAAAAAAAAA=","subType":"0"}},"keyId":0}},"$configTime":{"$timestamp":{"t":1670048732,"i":5}},"$topologyTime":{"$timestamp":{"t":0,"i":1}},"$audit":{"$impersonatedUsers":[{"user":"__system","db":"local"}],"$impersonatedRoles":[]},"$client":{"application":{"name":"MongoDB Shell"},"driver":{"name":"MongoDB Internal Client","version":"6.3.0-alpha-343-ge717ef6"},"os":{"type":"Linux","name":"Amazon Linux release 2 (Karoo)","architecture":"aarch64","version":"Kernel 4.14.209-160.339.amzn2.aarch64"},"mongos":{"host":"ip-10-122-33-129.ec2.internal:20045","client":"127.0.0.1:38180","version":"6.3.0-alpha-343-ge717ef6"}},"mayBypassWriteBlocking":true,"$db":"admin"},"numYields":0,"reslen":496,"admissionPriority":"normal","locks":{"ParallelBatchWriterMode":{"acquireCount":{"r":3}},"FeatureCompatibilityVersion":{"acquireCount":{"r":4,"w":3}},"ReplicationStateTransition":{"acquireCount":{"w":3}},"Global":{"acquireCount":{"r":4,"w":3}},"Database":{"acquireCount":{"w":3}},"Collection":{"acquireCount":{"w":3}},"Metadata":{"acquireCount":{"W":1}},"Mutex":{"acquireCount":{"r":15,"W":1}}},"flowControl":{"acquireCount":3,"timeAcquiringMicros":4},"writeConcern":{"w":"majority","wtimeout":60000,"provenance":"implicitDefault"},"storage":{},"remote":"10.122.33.129:53878","protocol":"op_msg","durationMillis":226,"planningTimeMicros":0}

and in audit logs

[js_test:monotonicity_hashed_sharding_compound] c20045| { "atype" : "createDatabase", "ts" : { "$date" : "2022-12-03T06:19:53.129+00:00" }, "uuid" : { "$binary" : "4ZaWz/0aRTSP6fW8YEPeQw==", "$type" : "04" }, "local" : { "isSystemUser" : true }, "remote" : { "isSystemUser" : true }, "users" : [], "roles" : [], "param" : { "ns" : "local" }, "result" : 0 }

Between these, the audit logs are probably the most impactful, and easiest to change.

 

Comment by Sara Golemon [ 10/Mar/22 ]

Deferring till post 6.0 to accommodate mixed version clusters.

Generated at Thu Feb 08 05:59:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.