Info

Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession  which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession). This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective.

Top User Comments

xgen-internal-githook commented on Fri, 23 Oct 2020 14:26:54 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Test that no audit entry is produced for unauthed endSessions when not logged in (cherry picked from commit 48343d458c33553dc6e8b90d3a6221d8dee6a97f) Branch: v4.0 https://github.com/10gen/mongo-enterprise-modules/commit/714da9e9846c76e03a64b994c699b98932e0747b xgen-internal-githook commented on Fri, 23 Oct 2020 01:48:51 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Limit auditing authz failure in endSessions command (cherry picked from commit 680eb5a61bc123d021a75b5ec5a997409ec0d36d) Branch: v4.2 https://github.com/mongodb/mongo/commit/1d59792abdd3242fdcf28bea23d743a999824066 xgen-internal-githook commented on Fri, 23 Oct 2020 01:48:46 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Test that no audit entry is produced for unauthed endSessions when not logged in (cherry picked from commit 48343d458c33553dc6e8b90d3a6221d8dee6a97f) Branch: v4.2 https://github.com/10gen/mongo-enterprise-modules/commit/8a4ed512c07a0e04cbcdf75247177da560da0055 xgen-internal-githook commented on Thu, 22 Oct 2020 21:45:12 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Limit auditing authz failure in endSessions command (cherry picked from commit 680eb5a61bc123d021a75b5ec5a997409ec0d36d) Branch: v4.4 https://github.com/mongodb/mongo/commit/ed2af140e1793988bcb6235629e8f3d0aea7a110 xgen-internal-githook commented on Thu, 22 Oct 2020 21:45:07 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Test that no audit entry is produced for unauthed endSessions when not logged in (cherry picked from commit 48343d458c33553dc6e8b90d3a6221d8dee6a97f) Branch: v4.4 https://github.com/10gen/mongo-enterprise-modules/commit/cb3f93df71fcd57e07564f26743bb2ef4892a9b7 xgen-internal-githook commented on Tue, 25 Aug 2020 17:57:17 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Limit auditing authz failure in endSessions command Branch: master https://github.com/mongodb/mongo/commit/680eb5a61bc123d021a75b5ec5a997409ec0d36d xgen-internal-githook commented on Tue, 25 Aug 2020 17:57:12 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'} Message: SERVER-49165 Test that no audit entry is produced for unauthed endSessions when not logged in Branch: master https://github.com/10gen/mongo-enterprise-modules/commit/48343d458c33553dc6e8b90d3a6221d8dee6a97f spencer.jackson@10gen.com commented on Tue, 26 May 2020 18:39:15 +0000: The server doesn't, to the best of my knowledge, persist logical session state for unauthenticated users. Ending a session while not authenticated is a little weird, because the name of the user which owns the session is baked into the logical session's internal ID. If a session is used on a connection which has never been authenticated, "ending" such a such would just be a no-op. If a client-side session ID had ever actually been used however, then it will not be possible to end it without being authenticated as the user which created it. It also wouldn't be possible for unauthenticated clients to tell whether it has been used. Possible alternatives I could imagine: Make endSessions a no-op for unauthenticated clients, and accept that sessions will not be killed if a client logs in, uses a session, logs out, and then attempts to endSession. Make endSessions return a runtime error rather than an authorization error when run by unauthenticated clients mira.carey@mongodb.com do you have any other ideas? divjot.arora commented on Sun, 24 May 2020 15:24:32 +0000: john.morales Thanks for the background! The monitoring agent's use case definitely makes sense. I don't think this DRIVERS ticket is worth doing. It would require additional API to either close a client without running endSessions or to opt out of sessions when creating a client. Doing either of these across drivers and then documenting when a user might want them seems like more work than it's worth. The large majority of users aren't creating unauthenticated connections to servers that require auth, so sessions "just work" for them. jeff.yemin The server team can comment about the viability of making endSessions a no-op for this use case, but I think a server-side fix won't be enough for Cloud as they need to support already released versions of the server. This is the same issue we ran into when Cloud first upgraded to the 1.1.x branch and had to workaround a bug that was fixed and backported to 3.6, but existed in previous 3.6 releases. Given all of this, I think we should close out this DRIVERS ticket and possibly file a SERVER ticket depending on input from mira.carey@mongodb.com or spencer.jackson to allow this behavior in future releases. We can discuss either making a Go-specific fix or changing the monitoring agent to use lower-level driver APIs, but that discussion should be elsewhere. divjot.arora commented on Thu, 21 May 2020 17:26:09 +0000: For additional context, the Go driver does ignore errors from the endSessions command per the sessions spec, but the monitoring agent is a special use-case because it parses server logs, which show the unauthorized endSessions attempt.

Steps to Reproduce