diff options
author | Randolph Tan <randolph@10gen.com> | 2019-01-28 17:00:20 -0500 |
---|---|---|
committer | Randolph Tan <randolph@10gen.com> | 2019-02-21 14:36:41 -0500 |
commit | 47fdb3cc40fe966c1a7f52ab883095cacf3a4fb6 (patch) | |
tree | bb4a091e934268c4b8d7a6944056733426082a2c | |
parent | 89f1160cc1d5ebd6401485ad13aa1973666e8133 (diff) | |
download | mongo-47fdb3cc40fe966c1a7f52ab883095cacf3a4fb6.tar.gz |
SERVER-39232 Allow commands that do not require auth to refresh sessions
(cherry picked from commit 8d23154ed3e086213c5bd59b3e2fcba96a3cca41)
-rw-r--r-- | jstests/auth/pre_auth_commands_with_sessions.js | 10 | ||||
-rw-r--r-- | jstests/noPassthrough/verify_session_cache_updates.js | 6 | ||||
-rw-r--r-- | src/mongo/db/initialize_operation_session_info.cpp | 14 | ||||
-rw-r--r-- | src/mongo/db/logical_session_id_test.cpp | 17 |
4 files changed, 29 insertions, 18 deletions
diff --git a/jstests/auth/pre_auth_commands_with_sessions.js b/jstests/auth/pre_auth_commands_with_sessions.js index 6472910917b..0e440a01c13 100644 --- a/jstests/auth/pre_auth_commands_with_sessions.js +++ b/jstests/auth/pre_auth_commands_with_sessions.js @@ -40,16 +40,6 @@ db.runCommand(commandWithSession), "failed to run command " + cmd + " with session without being logged in"); - // Test that we can run a pre-auth command with a session while - // multiple users are logged in (and the session gets ignored) - db.auth("lily", "pwd"); - admin.auth("admin", "pwd"); - assert.commandWorked(admin.runCommand(command), - "failed to run command " + cmd + " with multiple users logged in"); - assert.commandWorked( - admin.runCommand(commandWithSession), - "failed to run command " + cmd + " with session with multiple users logged in"); - db.logout(); admin.logout(); }; diff --git a/jstests/noPassthrough/verify_session_cache_updates.js b/jstests/noPassthrough/verify_session_cache_updates.js index 22674cb1ecb..6fb6d36ea7c 100644 --- a/jstests/noPassthrough/verify_session_cache_updates.js +++ b/jstests/noPassthrough/verify_session_cache_updates.js @@ -29,9 +29,9 @@ var session = conn.startSession(); verify(conn, 0); - // running a non-session updating command doesn't touch - session.getDatabase("admin").runCommand("getLastError"); - verify(conn, 0); + // running a command that doesn't require auth does touch + session.getDatabase("admin").runCommand("isMaster"); + verify(conn, 1); // running a session updating command does touch session.getDatabase("admin").runCommand({serverStatus: 1}); diff --git a/src/mongo/db/initialize_operation_session_info.cpp b/src/mongo/db/initialize_operation_session_info.cpp index 3b32e3619cb..8842c5cb8bb 100644 --- a/src/mongo/db/initialize_operation_session_info.cpp +++ b/src/mongo/db/initialize_operation_session_info.cpp @@ -67,16 +67,20 @@ boost::optional<OperationSessionInfoFromClient> initializeOperationSessionInfo( !osi.getAutocommit()); uassert( 50889, "It is illegal to provide a txnNumber for this command", !osi.getTxnNumber()); - return boost::none; } - { + if (auto authSession = AuthorizationSession::get(opCtx->getClient())) { // If we're using the localhost bypass, and the client hasn't authenticated, // logical sessions are disabled. A client may authenticate as the __sytem user, // or as an externally authorized user. - AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); - if (authSession && authSession->isUsingLocalhostBypass() && - !authSession->isAuthenticated()) { + if (authSession->isUsingLocalhostBypass() && !authSession->isAuthenticated()) { + return boost::none; + } + + // Do not initialize lsid when auth is enabled and no user is logged in since + // there is no sensible uid that can be assigned to it. + if (AuthorizationManager::get(opCtx->getServiceContext())->isAuthEnabled() && + !authSession->isAuthenticated() && !requiresAuth) { return boost::none; } } diff --git a/src/mongo/db/logical_session_id_test.cpp b/src/mongo/db/logical_session_id_test.cpp index 5a4d14705ac..18e755fe507 100644 --- a/src/mongo/db/logical_session_id_test.cpp +++ b/src/mongo/db/logical_session_id_test.cpp @@ -379,5 +379,22 @@ TEST_F(LogicalSessionIdTest, ConstructorFromClientWithTooLongName) { ASSERT_THROWS(makeLogicalSessionId(req, _opCtx.get()), AssertionException); } +TEST_F(LogicalSessionIdTest, MultipleUsersPerSessionIsNotAllowed) { + addSimpleUser(UserName("simple", "test")); + addSimpleUser(UserName("simple", "test2")); + + LogicalSessionFromClient lsid; + lsid.setId(UUID::gen()); + + ASSERT_THROWS_CODE(initializeOperationSessionInfo( + _opCtx.get(), + BSON("TestCmd" << 1 << "lsid" << lsid.toBSON() << "txnNumber" << 100LL), + true, + true, + true), + AssertionException, + ErrorCodes::Unauthorized); +} + } // namespace } // namespace mongo |