Operational Defect Database

BugZero found this defect 2350 days ago.

MongoDB | 428546

[SERVER-31116] Initial createUser command with lsid prohibited

Last update date:

10/30/2023

Affected products:

MongoDB Server

Affected releases:

No affected releases provided.

Fixed releases:

3.6.0-rc0

Description:

Info

Resolution: When the localhost bypass is in effect, the server ignores "lsid" in all commands and neither requires auth nor creates a session. Original report: Question for samantha.ritter or jason.carey. Current Drivers Session Spec says all commands include "lsid" if the server supports sessions, with the exceptions of auth commands and ismaster. So "createUser" should include "lsid". However, if the server is started with auth and it has no users, a driver might want to connect without authenticating and issue "createUser". For example, PyMongo's tests detect if the server has started with auth and has no user. If the initial "createUser" command is issued with "lsid", the server responds with error code 13, "there are no users authenticated". What should we do?: createUser with "lsid" is permitted if there are no users created yet, but the server ignores "lsid" (creates no server session) The Drivers Session Spec says that createUser omits "lsid" iff the application doesn't explicitly pass a ClientSession object and the connection isn't authenticated cc rstam. Also I'm curious what emily.stolfo has done to test the Ruby driver. Did you need to work around this?

Top User Comments

xgen-internal-githook commented on Wed, 27 Sep 2017 15:27:12 +0000: Author: {'email': 'jcarey@argv.me', 'name': 'Jason Carey', 'username': 'hanumantmk'} Message: SERVER-31116 localhost bypass for sessions Change the behavior or logical session use so that passing a lsid when the localhost bypass is enabled causes the session id to be ignored. This eases the burden on drivers from having to identify that initial createUser command and avoid passing a lsid. Branch: master https://github.com/mongodb/mongo/commit/a1a12aa3422fa0ff7c169c2d58a879e5a402fac9

Additional Resources / Links

Share:

BugZero Risk Score

Coming soon

Status

Closed

Have you been affected by this bug?

cost-cta-background

Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.

Discussion

Login to read and write comments.

Have you ever...

had your data corrupted from a

VMware

bug?

Search:

...