SERVER-39232 Allow commands that do not require auth to refresh sessions

5 files changed, 32 insertions, 18 deletions

diff --git a/jstests/auth/currentop_cursors_auth.js b/jstests/auth/currentop_cursors_auth.js
index b08904cd391..ca196be176f 100644
--- a/jstests/auth/currentop_cursors_auth.js
+++ b/jstests/auth/currentop_cursors_auth.js
@@ -152,6 +152,9 @@
         // Clean up the cursors so that they don't affect subsequent tests.
         assert.commandWorked(
             db.runCommand({killCursors: coll.getName(), cursors: [cursorId, secondCursorId]}));
+
+        // Make sure to logout to allow __system user to use the implicit session.
+        assert.commandWorked(adminDB.logout());
     }
 
     jsTestLog("Running cursor tests on mongoD");
diff --git a/jstests/auth/pre_auth_commands_with_sessions.js b/jstests/auth/pre_auth_commands_with_sessions.js
index 6472910917b..0e440a01c13 100644
--- a/jstests/auth/pre_auth_commands_with_sessions.js
+++ b/jstests/auth/pre_auth_commands_with_sessions.js
@@ -40,16 +40,6 @@
             db.runCommand(commandWithSession),
             "failed to run command " + cmd + " with session without being logged in");
 
-        // Test that we can run a pre-auth command with a session while
-        // multiple users are logged in (and the session gets ignored)
-        db.auth("lily", "pwd");
-        admin.auth("admin", "pwd");
-        assert.commandWorked(admin.runCommand(command),
-                             "failed to run command " + cmd + " with multiple users logged in");
-        assert.commandWorked(
-            admin.runCommand(commandWithSession),
-            "failed to run command " + cmd + " with session with multiple users logged in");
-
         db.logout();
         admin.logout();
     };
diff --git a/jstests/noPassthrough/verify_session_cache_updates.js b/jstests/noPassthrough/verify_session_cache_updates.js
index 22674cb1ecb..6fb6d36ea7c 100644
--- a/jstests/noPassthrough/verify_session_cache_updates.js
+++ b/jstests/noPassthrough/verify_session_cache_updates.js
@@ -29,9 +29,9 @@
         var session = conn.startSession();
         verify(conn, 0);
 
-        // running a non-session updating command doesn't touch
-        session.getDatabase("admin").runCommand("getLastError");
-        verify(conn, 0);
+        // running a command that doesn't require auth does touch
+        session.getDatabase("admin").runCommand("isMaster");
+        verify(conn, 1);
 
         // running a session updating command does touch
         session.getDatabase("admin").runCommand({serverStatus: 1});
diff --git a/src/mongo/db/initialize_operation_session_info.cpp b/src/mongo/db/initialize_operation_session_info.cpp
index e513126f173..b48027bc130 100644
--- a/src/mongo/db/initialize_operation_session_info.cpp
+++ b/src/mongo/db/initialize_operation_session_info.cpp
@@ -60,16 +60,20 @@ OperationSessionInfoFromClient initializeOperationSessionInfo(OperationContext*
                 !osi.getAutocommit());
         uassert(
             50889, "It is illegal to provide a txnNumber for this command", !osi.getTxnNumber());
-        return {};
     }
 
-    {
+    if (auto authSession = AuthorizationSession::get(opCtx->getClient())) {
         // If we're using the localhost bypass, and the client hasn't authenticated,
         // logical sessions are disabled. A client may authenticate as the __sytem user,
         // or as an externally authorized user.
-        AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
-        if (authSession && authSession->isUsingLocalhostBypass() &&
-            !authSession->isAuthenticated()) {
+        if (authSession->isUsingLocalhostBypass() && !authSession->isAuthenticated()) {
+            return {};
+        }
+
+        // Do not initialize lsid when auth is enabled and no user is logged in since
+        // there is no sensible uid that can be assigned to it.
+        if (AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() &&
+            !authSession->isAuthenticated() && !requiresAuth) {
             return {};
         }
     }
diff --git a/src/mongo/db/logical_session_id_test.cpp b/src/mongo/db/logical_session_id_test.cpp
index 1bf9e9b4658..3d90d189d5b 100644
--- a/src/mongo/db/logical_session_id_test.cpp
+++ b/src/mongo/db/logical_session_id_test.cpp
@@ -383,5 +383,22 @@ TEST_F(LogicalSessionIdTest, ConstructorFromClientWithTooLongName) {
     ASSERT_THROWS(makeLogicalSessionId(req, _opCtx.get()), AssertionException);
 }
 
+TEST_F(LogicalSessionIdTest, MultipleUsersPerSessionIsNotAllowed) {
+    addSimpleUser(UserName("simple", "test"));
+    addSimpleUser(UserName("simple", "test2"));
+
+    LogicalSessionFromClient lsid;
+    lsid.setId(UUID::gen());
+
+    ASSERT_THROWS_CODE(initializeOperationSessionInfo(
+                           _opCtx.get(),
+                           BSON("TestCmd" << 1 << "lsid" << lsid.toBSON() << "txnNumber" << 100LL),
+                           true,
+                           true,
+                           true),
+                       AssertionException,
+                       ErrorCodes::Unauthorized);
+}
+
 }  // namespace
 }  // namespace mongo