<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:36:21 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[GODRIVER-1415] Add build flag to run specific commands without implicit sessions</title>
                <link>https://jira.mongodb.org/browse/GODRIVER-1415</link>
                <project id="14289" key="GODRIVER">Go Driver</project>
                    <description>&lt;p&gt;This ticket is in response to HELP-12163. To allow the monitoring agent to run &lt;tt&gt;listCommands&lt;/tt&gt;, &lt;tt&gt;_isSelf&lt;/tt&gt;, and &lt;tt&gt;buildInfo&lt;/tt&gt; without authenticating against affected 3.6 servers, we should add a build flag like &lt;tt&gt;36nosessions&lt;/tt&gt;. If specified during compilation, the driver will not add an implicit session for those commands if they are run through &lt;tt&gt;RunCommand&lt;/tt&gt;. The driver will honor explicit sessions for those commands even if the build flag is specified.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;CC &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=thomas.delacour&quot; class=&quot;user-hover&quot; rel=&quot;thomas.delacour&quot;&gt;thomas.delacour&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jeff.yemin&quot; class=&quot;user-hover&quot; rel=&quot;jeff.yemin&quot;&gt;jeff.yemin&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jonathan.balsano&quot; class=&quot;user-hover&quot; rel=&quot;jonathan.balsano&quot;&gt;jonathan.balsano&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=louisa.berger&quot; class=&quot;user-hover&quot; rel=&quot;louisa.berger&quot;&gt;louisa.berger&lt;/a&gt; I want to make sure everyone agrees with this solution before we implement anything in the driver.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1016061">GODRIVER-1415</key>
            <summary>Add build flag to run specific commands without implicit sessions</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13202">Works as Designed</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="divjot.arora@mongodb.com">Divjot Arora</reporter>
                        <labels>
                    </labels>
                <created>Wed, 20 Nov 2019 18:54:57 +0000</created>
                <updated>Fri, 27 Oct 2023 13:16:30 +0000</updated>
                            <resolved>Fri, 22 Nov 2019 21:17:44 +0000</resolved>
                                                                    <component>Administrative Commands</component>
                                        <votes>0</votes>
                                    <watches>7</watches>
                                                                                                                <comments>
                            <comment id="2562774" author="divjot.arora" created="Fri, 22 Nov 2019 21:17:44 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=john.morales&quot; class=&quot;user-hover&quot; rel=&quot;john.morales&quot;&gt;john.morales&lt;/a&gt; Thanks for the quick follow-up. Closing this issue as &quot;Works as Designed&quot;.&lt;/p&gt;</comment>
                            <comment id="2560265" author="john.morales@10gen.com" created="Thu, 21 Nov 2019 20:14:13 +0000"  >&lt;p&gt;Let me discuss this a little more within Cloud first. Will try and follow up before Monday afternoon.&lt;/p&gt;</comment>
                            <comment id="2560186" author="behackett" created="Thu, 21 Nov 2019 19:32:39 +0000"  >&lt;p&gt;After talking to Jeff and Divjot, I agree with them that we will put a blacklist for the three commands in question behind a build flag. We want the Go driver to work like all other drivers for all other users. Changing the spec and changing all other drivers is unnecessary work. It&apos;s unfortunate that we have to do this work in the Go driver.&lt;/p&gt;</comment>
                            <comment id="2555626" author="jeff.yemin" created="Wed, 20 Nov 2019 22:44:00 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=behackett&quot; class=&quot;user-hover&quot; rel=&quot;behackett&quot;&gt;behackett&lt;/a&gt; it&apos;s not clear how we would expose a private API for cloud.&#160; What would be the mechanism for it?&lt;/p&gt;</comment>
                            <comment id="2555615" author="divjot.arora" created="Wed, 20 Nov 2019 22:38:37 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=behackett&quot; class=&quot;user-hover&quot; rel=&quot;behackett&quot;&gt;behackett&lt;/a&gt;&#160;One of my earlier suggestions on the HELP ticket was to add a &lt;tt&gt;RunCommand&lt;/tt&gt; option to opt-out of implicit sessions for a single operation, eliminating any command name checking in the driver. &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jeff.yemin&quot; class=&quot;user-hover&quot; rel=&quot;jeff.yemin&quot;&gt;jeff.yemin&lt;/a&gt; brought up the fact that this increases our public API surface and would be an option that&apos;s not matched in other drivers, so it could be confusing. Happy to revisit if you think that&apos;s the right path, though.&lt;/p&gt;</comment>
                            <comment id="2555612" author="behackett" created="Wed, 20 Nov 2019 22:35:58 +0000"  >&lt;p&gt;Can we just add a private API for the cloud team that allows them to run arbitrary commands without an implicit session? No need for a whitelist, no need for build flags, no need for additional parameters to public methods.&lt;/p&gt;</comment>
                            <comment id="2555528" author="jeff.yemin" created="Wed, 20 Nov 2019 21:53:47 +0000"  >&lt;p&gt;By &quot;smallest change&quot;, I&apos;m referring to the application-visible behavior, not the implementation. I agree that C-style ifdefs are easier to manage than Go-style build flags, but you have to work with the tools that you have. &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.mongodb.org/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&#160;&#160;I think if the stakeholders are comfortable with the application-visible behavior aspect of this, we can see what it looks like in a PR and decide whether it&apos;s just too much to bear from a maintenance perspective.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=behackett&quot; class=&quot;user-hover&quot; rel=&quot;behackett&quot;&gt;behackett&lt;/a&gt; would you be comfortable with a spec change or deviation as an alternative?&#160; It feels odd to me to do that to work around a server bug that has been fixed and back-ported already, but I&apos;d like to get your perspective on it.&#160;&lt;/p&gt;

&lt;p&gt;For reference, here&apos;s &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=divjot.arora&quot; class=&quot;user-hover&quot; rel=&quot;divjot.arora&quot;&gt;divjot.arora&lt;/a&gt;&apos;s prototype, so everyone can see what we&apos;re talking about:&#160;&lt;a href=&quot;https://github.com/divjotarora/mongo-go-driver/commit/5ddae9e4af515f3fe33bf58659a032e236da8062&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/divjotarora/mongo-go-driver/commit/5ddae9e4af515f3fe33bf58659a032e236da8062&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="2555279" author="david.golden" created="Wed, 20 Nov 2019 21:08:23 +0000"  >&lt;p&gt;I would not describe a build flag as the &quot;smallest possible change&quot;, given that it requires a separate .go file and some sort of global data structure only populated if the build flag is set.  I would hate to see that live forever in the code base to work around this issue.&lt;/p&gt;

&lt;p&gt;(If we had C style &lt;tt&gt;#ifdef&lt;/tt&gt;, I wouldn&apos;t object to that as a quick fix, but Go isn&apos;t like that.)&lt;/p&gt;</comment>
                            <comment id="2555240" author="divjot.arora" created="Wed, 20 Nov 2019 20:48:34 +0000"  >&lt;p&gt;Given that a build flag is probably overkill for this, I can see doing this as a SPEC ticket + GODRIVER ticket to automatically exclude implicit sessions on some commands. I definitely don&apos;t want to have to enumerate every command that doesn&apos;t require an implicit session, as I think this would take too long and has little benefit. That being said, I&apos;m find doing this whatever way is agreed upon by &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jeff.yemin&quot; class=&quot;user-hover&quot; rel=&quot;jeff.yemin&quot;&gt;jeff.yemin&lt;/a&gt; and &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=david.golden&quot; class=&quot;user-hover&quot; rel=&quot;david.golden&quot;&gt;david.golden&lt;/a&gt;.&lt;/p&gt;</comment>
                            <comment id="2555225" author="jeff.yemin" created="Wed, 20 Nov 2019 20:44:26 +0000"  >&lt;p&gt;There&apos;s probably not a need for an implicit session on most commands.&#160; But that&apos;s not the problem we&apos;re trying to solve here.&#160; The problem is there is a server bug for these three commands, introduced in 3.6 (3.6.0?) and fixed in a subsequent 3.6 patch (3.6.16?) and in 4.0+.&#160; We are trying to make the smallest change we can to help the automation agent to work around this bug because it has to run against all the affected 3.6 patch releases.&#160; For normal users, we would just tell them to upgrade their server to the latest patch.&lt;/p&gt;</comment>
                            <comment id="2555152" author="david.golden" created="Wed, 20 Nov 2019 20:35:24 +0000"  >&lt;p&gt;In the description, you said [emphasis mine]:&#160;&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;If specified during compilation, the driver will not add an implicit session &lt;b&gt;for those commands&lt;/b&gt; if they are run through &lt;tt&gt;RunCommand&lt;/tt&gt;&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;That implies you already have a white list that only gets populated if a build flag is set.  I&apos;m suggesting making the white list always active without bothering with the build flag.&lt;/p&gt;</comment>
                            <comment id="2555063" author="divjot.arora" created="Wed, 20 Nov 2019 20:12:33 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=david.golden&quot; class=&quot;user-hover&quot; rel=&quot;david.golden&quot;&gt;david.golden&lt;/a&gt; It&apos;s possible we could do this through a larger whitelist but that would require more work to figure out all possible commands that don&apos;t require sessions and can be run without being authenticated if a session is not provided (the commands in question are only problematic if the session is included and the user is not authenticated). To me, that feels like more work than it&apos;s worth.&lt;/p&gt;</comment>
                            <comment id="2555046" author="david.golden" created="Wed, 20 Nov 2019 20:05:21 +0000"  >&lt;p&gt;Is there ever any need for an implicit session on those three commands?&#160; None of them are long-running and would need to be killed.&#160; Could we consider whitelisting those specific command without requiring a build flag?&#160; To me it seems like a reasonable spec deviation.&#160; (And if really necessary, it would be a trivial addition to the spec to say &quot;MAY omit session ID&quot; for those commands.)&lt;/p&gt;</comment>
                            <comment id="2554389" author="louisa.berger@10gen.com" created="Wed, 20 Nov 2019 19:17:22 +0000"  >&lt;p&gt;LGTM!&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hvt7xb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>