<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:18:52 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-3728] GSSAPI auth commands must not use implicit sessions</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-3728</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;Authentication commands must not append a session ID per the &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#when-opening-and-authenticating-a-connection&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;driver session spec&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2449&quot; title=&quot;Session ID is included in authenticate command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2449&quot;&gt;&lt;del&gt;CDRIVER-2449&lt;/del&gt;&lt;/a&gt; discovered that most auth commands were including the session ID unintentionally. The resolution was to set &lt;tt&gt;prohibit_lsid=true&lt;/tt&gt; in the &lt;tt&gt;mongoc_cmd_parts_t&lt;/tt&gt; used to construct the command. For example, in &lt;tt&gt;_mongoc_cluster_auth_node_cr&lt;/tt&gt;:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   mongoc_cmd_parts_init (&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;      &amp;amp;parts, cluster-&amp;gt;client, auth_source, MONGOC_QUERY_SLAVE_OK, &amp;amp;command);&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   parts.prohibit_lsid = true;&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;However, &lt;tt&gt;_mongoc_cluster_auth_node_cyrus&lt;/tt&gt; and &lt;tt&gt;_mongoc_cluster_auth_node_sspi&lt;/tt&gt; do not set &lt;tt&gt;prohibit_lsid&lt;/tt&gt;. I believe they may still be appending a session ID unintentionally.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1393162">CDRIVER-3728</key>
            <summary>GSSAPI auth commands must not use implicit sessions</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="kevin.albertson@mongodb.com">Kevin Albertson</reporter>
                        <labels>
                            <label>new-eng</label>
                    </labels>
                <created>Fri, 26 Jun 2020 16:25:12 +0000</created>
                <updated>Sat, 28 Oct 2023 11:28:42 +0000</updated>
                            <resolved>Wed, 5 Aug 2020 22:01:50 +0000</resolved>
                                                    <fixVersion>1.18.0</fixVersion>
                    <fixVersion>1.17.3</fixVersion>
                    <fixVersion>1.18.0-alpha</fixVersion>
                                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="3324073" author="JIRAUSER1254435" created="Thu, 6 Aug 2020 07:57:59 +0000"  >&lt;p&gt;Alright thank you I&apos;ll know for the next time&lt;/p&gt;</comment>
                            <comment id="3323736" author="kevin.albertson" created="Wed, 5 Aug 2020 22:01:28 +0000"  >&lt;p&gt;Thank you &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=pierremickael.gonzalo%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;pierremickael.gonzalo@gmail.com&quot;&gt;pierremickael.gonzalo@gmail.com&lt;/a&gt;! I authorized the patch build and merged the PR. Evergreen, MongoDB&apos;s continuous integration test platform. Evergreen tests on all platforms we support. Alas, it does require employee intervention to run user submitted pull requests. But, Travis tasks should still run on all PRs. And you can also run all tests locally. See &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/master/CONTRIBUTING.md#testing&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/blob/master/CONTRIBUTING.md#testing&lt;/a&gt;.&lt;/p&gt;</comment>
                            <comment id="3323727" author="kevin.albertson" created="Wed, 5 Aug 2020 21:55:44 +0000"  >&lt;p&gt;PR: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/pull/675&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/pull/675&lt;/a&gt;&lt;br/&gt;
Commit: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/cd511a80005cc8c24b1d7eb8221ac62873bc2829&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/cd511a80005cc8c24b1d7eb8221ac62873bc2829&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3318303" author="JIRAUSER1254435" created="Mon, 3 Aug 2020 18:37:05 +0000"  >&lt;p&gt;Hi, &lt;br/&gt;
As requested I&apos;ve made the change but as you can see one test failed about evergreen with a short line description that says:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;patch must be manually authorized&#160;&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;But I do not know what it means if the error comes from my side or not. Maybe it is related to  this cluster&apos;s test that we talked previously but you said that it is manually tested so could you give me some hint on what&apos;s going wrong ?&lt;br/&gt;
Thank you&lt;/p&gt;</comment>
                            <comment id="3315513" author="kevin.albertson" created="Fri, 31 Jul 2020 13:52:32 +0000"  >&lt;blockquote&gt;
&lt;p&gt;Alright never mind I&apos;ve just misunderstood. So the manually test is intended to be tested by myself but how does it works ? Should I send you a screenshot of the server logs ?&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;No need. We can run manual tests on our end when reviewing the change since we already have Kerberos clusters set up to test against.&lt;/p&gt;</comment>
                            <comment id="3315480" author="JIRAUSER1254435" created="Fri, 31 Jul 2020 13:36:20 +0000"  >&lt;blockquote&gt;&lt;p&gt;Yes, if it is not reasonable to add automated tests, then we&apos;d have to rely on manually looking at the sent command to check that the behavior is correct. That was the decision in&#160;&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2449&quot; title=&quot;Session ID is included in authenticate command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2449&quot;&gt;&lt;del&gt;CDRIVER-2449&lt;/del&gt;&lt;/a&gt;&#160;(the fix was applied, no tests were added, but behavior was validated by inspecting trace logs&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Alright never mind I&apos;ve just misunderstood. So the manually test is intended to be tested by myself but how does it works ? Should I send you a screenshot of the server logs ?&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;If you are interested in attempting the fix, I&apos;d suggest proceeding with the change you proposed.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Yes I am interrested in attempting the fix, I&apos;ve actually already done but for now I can&apos;t create a remote branch so I can ask for a pull request.&lt;/p&gt;</comment>
                            <comment id="3313810" author="kevin.albertson" created="Thu, 30 Jul 2020 14:20:07 +0000"  >&lt;blockquote&gt;
&lt;p&gt;Hi, so both functions calls &quot;mongoc_cluster_run_command_private&quot; and according to his description no APM callbacks are executed. I think is that you meant by: &quot;And authentication commands are not capture in command monitoring&quot;.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Yes. That is what I meant.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;So you would like to know if is there an alternative to APM ? I would say to add an additionnal argument to the function that enables us to test it. I&apos;ve seen the parts variable set his attribute &quot;has_temp_server&quot; to true in case the prohibit_lsid is set, maybe we can use it to complete our argument. Honestly I think it&apos;s not a good idea to do that way.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;If you are referring to the field &lt;tt&gt;has_temp_session&lt;/tt&gt; in &lt;tt&gt;mongoc_cmd_parts_t&lt;/tt&gt;, that is used internally to determine whether an implicit session is applied. It&apos;s not clear to me how you&apos;d access that from within a test.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;When you say &quot;rely on manual inspection of the commands&quot; what do you mean exactly ? That the function cannot be tested or from now it doesn&apos;t including a session id even if it is never supposed to do ?&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Yes, if it is not reasonable to add automated tests, then we&apos;d have to rely on manually looking at the sent command to check that the behavior is correct. That was the decision in &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2449&quot; title=&quot;Session ID is included in authenticate command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2449&quot;&gt;&lt;del&gt;CDRIVER-2449&lt;/del&gt;&lt;/a&gt; (the fix was applied, no tests were added, but behavior was validated by inspecting trace logs).&lt;/p&gt;

&lt;p&gt;&amp;#8212;&lt;/p&gt;

&lt;p&gt;If you are interested in attempting the fix, I&apos;d suggest proceeding with the change you proposed. Manually testing this will require authenticating against a Kerberos cluster. We have existing Kerberos clusters so we can validate the change.&lt;/p&gt;</comment>
                            <comment id="3313679" author="JIRAUSER1254435" created="Thu, 30 Jul 2020 13:27:46 +0000"  >&lt;p&gt;Hi, so both functions calls &quot;mongoc_cluster_run_command_private&quot; and according to his description no APM callbacks are executed. I think is that you meant by: &quot;And authentication commands are not capture in command monitoring&quot;. So you would like to know if is there an alternative to APM ? I would say to add an additionnal argument to the function that enables us to test it. I&apos;ve seen the parts variable set his attribute &quot;has_temp_server&quot; to true in case the prohibit_lsid is set, maybe we can use it to complete our argument. Honestly I think it&apos;s not a good idea to do that way.&lt;br/&gt;
When you say &quot;rely on manual inspection of the commands&quot; what do you mean exactly ? That the function cannot be tested or from now it doesn&apos;t including a session id even if it is never supposed to do ?&lt;/p&gt;</comment>
                            <comment id="3312724" author="kevin.albertson" created="Wed, 29 Jul 2020 19:32:58 +0000"  >&lt;p&gt;Hello &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=pierremickael.gonzalo%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;pierremickael.gonzalo@gmail.com&quot;&gt;pierremickael.gonzalo@gmail.com&lt;/a&gt;, I agree, that seems like the most straightforward solution. If you would like to submit a PR with the change, we&apos;d happily review it.&lt;/p&gt;

&lt;p&gt;Ideally, we would like to additionally add a test to validate the change. The C driver does not have much infrastructure for testing authentication conversations. The existing integration tests check that authentication works against MongoDB servers when expected, and fails when we do not. Since the session ID in the authentication command does not appear to affect whether authentication succeeds. And authentication commands are not capture in &lt;a href=&quot;http://mongoc.org/libmongoc/current/application-performance-monitoring.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;command monitoring&lt;/a&gt;. I would like to explore whether it is reasonable to add automated testing. If it is not feasible, we may need to rely on manual inspection of the commands.&lt;/p&gt;</comment>
                            <comment id="3312346" author="JIRAUSER1254435" created="Wed, 29 Jul 2020 16:46:23 +0000"  >&lt;p&gt;Hi, I would set the prohibit_lsid attribute to true to the parts variable in both functions right after the call to mongoc_cmd_parts_init, did I miss something ?&#160;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="478775">CDRIVER-2449</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr6nbj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>