[SERVER-72357] Authorization contract record of a command should be cleared once the command is completed Created: 22/Dec/22  Updated: 30/Jan/24  Resolved: 19/Jan/24

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Sophia Tan Assignee: Sara Golemon
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-84263 ServiceEntryPointCommon in test mode ... Closed
Related
related to SERVER-85433 Complete TODO listed in SERVER-72357 Closed
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2023-09-18, Security 2023-10-02, Security 2023-10-16, Security 2024-01-22
Participants:

 Description   

The issue is found when we test multi_statement_transaction_command_args.js against an auth enabled replica set. The “native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough” test suite defines such a test environment.

Here is the issue:
In multi_statement_transaction_command_args.js, when executing a transaction operation with "autocommit=true", it expects an InvalidOptions error caused by "Specifying autocommit=true is not allowed". But, if auth is enabled on mongod server, this jstest will get failure on an authorization error "Authorization Session contains more authorization checks then permitted by contract". It’s not a designed behavior.

The investigation of the issue:
This jstest case executes a "find" command and then a "insert" command. The "insert" command gets an error ( "InvalidOptions" which is expected) when calling the "initializeOperationSessionInfo" function before calling "authzSession->startContractTracking() ". Then, the service entry tries to verify the contract by comparing the contract record (unfortunately, the contract record of “find” is used as it has not been cleared) and the defined contract of “insert” command (which is defined in IDL). That caused the issue.

Here is the log

[js_test:multi_statement_transaction_command_args] uncaught exception: Error: command did not fail with any of the following codes [ 72 ] {
[js_test:multi_statement_transaction_command_args] 	"ok" : 0,
[js_test:multi_statement_transaction_command_args] 	"errmsg" : "Authorization Session contains more authorization checks then permitted by contract.",
[js_test:multi_statement_transaction_command_args] 	"code" : 5452401,
[js_test:multi_statement_transaction_command_args] 	"codeName" : "Location5452401",
[js_test:multi_statement_transaction_command_args] 	"$clusterTime" : {
[js_test:multi_statement_transaction_command_args] 		"clusterTime" : Timestamp(1671644315, 4),
[js_test:multi_statement_transaction_command_args] 		"signature" : {
[js_test:multi_statement_transaction_command_args] 			"hash" : BinData(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAA="),
[js_test:multi_statement_transaction_command_args] 			"keyId" : NumberLong(0)
[js_test:multi_statement_transaction_command_args] 		}
[js_test:multi_statement_transaction_command_args] 	},
[js_test:multi_statement_transaction_command_args] 	"operationTime" : Timestamp(1671644315, 4)
[js_test:multi_statement_transaction_command_args] } :
[js_test:multi_statement_transaction_command_args] _getErrorWithCode@src/mongo/shell/utils.js:24:13
[js_test:multi_statement_transaction_command_args] doassert@src/mongo/shell/assert.js:18:14
[js_test:multi_statement_transaction_command_args] _assertCommandFailed@src/mongo/shell/assert.js:832:29
[js_test:multi_statement_transaction_command_args] assert.commandFailedWithCode@src/mongo/shell/assert.js:878:16
[js_test:multi_statement_transaction_command_args] @jstests/core/txns/multi_statement_transaction_command_args.js:214:8
[js_test:multi_statement_transaction_command_args] @jstests/core/txns/multi_statement_transaction_command_args.js:322:2
[js_test:multi_statement_transaction_command_args] failed to load: jstests/core/txns/multi_statement_transaction_command_args.js

The way to reproduce it :
Execute the jstest with a test suite which enable the authentication on server side. For example "buildscripts/resmoke.py run --suite native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough jstests/core/txns/multi_statement_transaction_command_args.js".



 Comments   
Comment by Githook User [ 30/Jan/24 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-85433 Complete TODO listed in SERVER-72357

GitOrigin-RevId: 549bbe653c7f4a16b9e4574629c614db56556bd4
Branch: master
https://github.com/mongodb/mongo/commit/e1219cbac29dea618c7f6637f0168fb5a9e10505

Comment by Sara Golemon [ 19/Jan/24 ]

mark.benvenuto@mongodb.com's fix for SERVER-84263 covers the same issue.

Generated at Thu Feb 08 06:21:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.