[SERVER-78466] SessionsCollectionRS::_makePrimaryConnection() can reauthenticate as __system Created: 26/Jun/23 Updated: 12/Dec/23 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Varun Ravichandran | Assignee: | Backlog - Cluster Scalability |
| Resolution: | Unresolved | Votes: | 3 |
| Labels: | sharding-nyc-subteam3 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Assigned Teams: |
Cluster Scalability
|
||||||||||||
| Sprint: | Security 2023-07-24, Security 2023-08-07 | ||||||||||||
| Participants: | |||||||||||||
| Story Points: | 2 | ||||||||||||
| Description |
|
The SessionsCollectionRS class is responsible for accessing the config.sessions collection on replica sets. The _makePrimaryConnection() method is used to retrieve a connection to the primary node before performing some kind of operation on the sessions collection. Today, the implementation of this method retrieves a ScopedDbCollection, which comes from the internal connection pool, and then authenticates as the __system user on the connection before performing the requisite operation. After the operation is completed, the connection is returned to the pool. As a result, it is possible that the connection from the pool has already been authenticated as _system. Ever since |
| Comments |
| Comment by Dennis Carvalho [ 07/Nov/23 ] |
|
Hope the issue is resolved soon. Apart from simply getting those bulk of irritating messages every few minutes, they could actually hamper while troubleshooting a real issue and also add to the volume of log. |
| Comment by Vinicius Grippa [ 06/Nov/23 ] |
|
It also affects 6.0.11. |
| Comment by Varun Ravichandran [ 24/Jul/23 ] |
|
After conversation with randolph@mongodb.com offline, reassigning to Sharding NYC as they own the config.sessions machinery. |
| Comment by Adam Rayner [ 13/Jul/23 ] |
|
Thanks jason.chan@mongodb.com , assigning to varun.ravichandran@mongodb.com for further investigation, will keep you posted. |
| Comment by Jason Chan [ 12/Jul/23 ] |
|
From talking to varun.ravichandran@mongodb.com
Going by the last sentence above, it sounds like the fix here might be more related to semantics around authentication rather than code in the ConnectionPool itself. I wonder if Security would be better equipped to know how to prioritize and implement this fix? cc: adam.rayner@mongodb.combrad.moore@mongodb.com |