[SERVER-78466] SessionsCollectionRS::_makePrimaryConnection() can reauthenticate as __system Created: 26/Jun/23  Updated: 12/Dec/23

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Backlog - Cluster Scalability
Resolution: Unresolved Votes: 3
Labels: sharding-nyc-subteam3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-74688 Error after upgrade to MongoDB v5.0.14 Closed
is related to SERVER-74688 Error after upgrade to MongoDB v5.0.14 Closed
Assigned Teams:
Cluster Scalability
Sprint: Security 2023-07-24, Security 2023-08-07
Participants:
Story Points: 2

 Description   

The SessionsCollectionRS class is responsible for accessing the config.sessions collection on replica sets. The _makePrimaryConnection() method is used to retrieve a connection to the primary node before performing some kind of operation on the sessions collection. 

Today, the implementation of this method retrieves a ScopedDbCollection, which comes from the internal connection pool, and then authenticates as the __system user on the connection before performing the requisite operation. After the operation is completed, the connection is returned to the pool.

As a result, it is possible that the connection from the pool has already been authenticated as _system. Ever since SERVER-56267, the auth subsystem now logs a warning whenever a client reauthenticates as the same user already authenticated on the connection. This can result in unnecessary log spam, so this method should strive to only authenticate as _system once.



 Comments   
Comment by Dennis Carvalho [ 07/Nov/23 ]

Hope the issue is resolved soon. Apart from simply getting those bulk of irritating messages every few minutes, they could actually hamper while troubleshooting a real issue and also add to the volume of log.

Comment by Vinicius Grippa [ 06/Nov/23 ]

It also affects 6.0.11.

Comment by Varun Ravichandran [ 24/Jul/23 ]

After conversation with randolph@mongodb.com offline, reassigning to Sharding NYC as they own the config.sessions machinery.

Comment by Adam Rayner [ 13/Jul/23 ]

Thanks jason.chan@mongodb.com , assigning to varun.ravichandran@mongodb.com for further investigation, will keep you posted.

Comment by Jason Chan [ 12/Jul/23 ]

From talking to varun.ravichandran@mongodb.com

So the problem is that the SessionsCollectionRS class grabs a ScopedDbConnection (which I believe comes from the connection pool) and attempts to connect to the config server primary. It then explicitly authenticates as the internal __system user. If the ScopedDbConnection had already been authenticated as __system, the explicit authentication succeeds but emits a warning log about reauthentication. Ideally, we want each connection to only authenticate once, so here, we would want a way to check whether the ScopedDbConnection was already authenticated or not before authenticating as __system.

Going by the last sentence above, it sounds like the fix here might be more related to semantics around authentication rather than code in the ConnectionPool itself. I wonder if Security would be better equipped to know how to prioritize and implement this fix? cc: adam.rayner@mongodb.combrad.moore@mongodb.com

Generated at Thu Feb 08 06:38:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.