diff options
author | Randolph Tan <randolph@10gen.com> | 2019-01-28 17:00:20 -0500 |
---|---|---|
committer | Randolph Tan <randolph@10gen.com> | 2019-01-31 14:57:49 -0500 |
commit | 8d23154ed3e086213c5bd59b3e2fcba96a3cca41 (patch) | |
tree | 1a484f25516da69248d48283890f1a9c7c731263 | |
parent | c15a40aa4eaee67e060ac63256998232deb97c38 (diff) | |
download | mongo-8d23154ed3e086213c5bd59b3e2fcba96a3cca41.tar.gz |
SERVER-39232 Allow commands that do not require auth to refresh sessions
-rw-r--r-- | jstests/auth/currentop_cursors_auth.js | 3 | ||||
-rw-r--r-- | jstests/auth/pre_auth_commands_with_sessions.js | 10 | ||||
-rw-r--r-- | jstests/noPassthrough/verify_session_cache_updates.js | 6 | ||||
-rw-r--r-- | src/mongo/db/initialize_operation_session_info.cpp | 14 | ||||
-rw-r--r-- | src/mongo/db/logical_session_id_test.cpp | 17 |
5 files changed, 32 insertions, 18 deletions
diff --git a/jstests/auth/currentop_cursors_auth.js b/jstests/auth/currentop_cursors_auth.js index b08904cd391..ca196be176f 100644 --- a/jstests/auth/currentop_cursors_auth.js +++ b/jstests/auth/currentop_cursors_auth.js @@ -152,6 +152,9 @@ // Clean up the cursors so that they don't affect subsequent tests. assert.commandWorked( db.runCommand({killCursors: coll.getName(), cursors: [cursorId, secondCursorId]})); + + // Make sure to logout to allow __system user to use the implicit session. + assert.commandWorked(adminDB.logout()); } jsTestLog("Running cursor tests on mongoD"); diff --git a/jstests/auth/pre_auth_commands_with_sessions.js b/jstests/auth/pre_auth_commands_with_sessions.js index 6472910917b..0e440a01c13 100644 --- a/jstests/auth/pre_auth_commands_with_sessions.js +++ b/jstests/auth/pre_auth_commands_with_sessions.js @@ -40,16 +40,6 @@ db.runCommand(commandWithSession), "failed to run command " + cmd + " with session without being logged in"); - // Test that we can run a pre-auth command with a session while - // multiple users are logged in (and the session gets ignored) - db.auth("lily", "pwd"); - admin.auth("admin", "pwd"); - assert.commandWorked(admin.runCommand(command), - "failed to run command " + cmd + " with multiple users logged in"); - assert.commandWorked( - admin.runCommand(commandWithSession), - "failed to run command " + cmd + " with session with multiple users logged in"); - db.logout(); admin.logout(); }; diff --git a/jstests/noPassthrough/verify_session_cache_updates.js b/jstests/noPassthrough/verify_session_cache_updates.js index 22674cb1ecb..6fb6d36ea7c 100644 --- a/jstests/noPassthrough/verify_session_cache_updates.js +++ b/jstests/noPassthrough/verify_session_cache_updates.js @@ -29,9 +29,9 @@ var session = conn.startSession(); verify(conn, 0); - // running a non-session updating command doesn't touch - session.getDatabase("admin").runCommand("getLastError"); - verify(conn, 0); + // running a command that doesn't require auth does touch + session.getDatabase("admin").runCommand("isMaster"); + verify(conn, 1); // running a session updating command does touch session.getDatabase("admin").runCommand({serverStatus: 1}); diff --git a/src/mongo/db/initialize_operation_session_info.cpp b/src/mongo/db/initialize_operation_session_info.cpp index e513126f173..b48027bc130 100644 --- a/src/mongo/db/initialize_operation_session_info.cpp +++ b/src/mongo/db/initialize_operation_session_info.cpp @@ -60,16 +60,20 @@ OperationSessionInfoFromClient initializeOperationSessionInfo(OperationContext* !osi.getAutocommit()); uassert( 50889, "It is illegal to provide a txnNumber for this command", !osi.getTxnNumber()); - return {}; } - { + if (auto authSession = AuthorizationSession::get(opCtx->getClient())) { // If we're using the localhost bypass, and the client hasn't authenticated, // logical sessions are disabled. A client may authenticate as the __sytem user, // or as an externally authorized user. - AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); - if (authSession && authSession->isUsingLocalhostBypass() && - !authSession->isAuthenticated()) { + if (authSession->isUsingLocalhostBypass() && !authSession->isAuthenticated()) { + return {}; + } + + // Do not initialize lsid when auth is enabled and no user is logged in since + // there is no sensible uid that can be assigned to it. + if (AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() && + !authSession->isAuthenticated() && !requiresAuth) { return {}; } } diff --git a/src/mongo/db/logical_session_id_test.cpp b/src/mongo/db/logical_session_id_test.cpp index 1bf9e9b4658..3d90d189d5b 100644 --- a/src/mongo/db/logical_session_id_test.cpp +++ b/src/mongo/db/logical_session_id_test.cpp @@ -383,5 +383,22 @@ TEST_F(LogicalSessionIdTest, ConstructorFromClientWithTooLongName) { ASSERT_THROWS(makeLogicalSessionId(req, _opCtx.get()), AssertionException); } +TEST_F(LogicalSessionIdTest, MultipleUsersPerSessionIsNotAllowed) { + addSimpleUser(UserName("simple", "test")); + addSimpleUser(UserName("simple", "test2")); + + LogicalSessionFromClient lsid; + lsid.setId(UUID::gen()); + + ASSERT_THROWS_CODE(initializeOperationSessionInfo( + _opCtx.get(), + BSON("TestCmd" << 1 << "lsid" << lsid.toBSON() << "txnNumber" << 100LL), + true, + true, + true), + AssertionException, + ErrorCodes::Unauthorized); +} + } // namespace } // namespace mongo |