Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.0.3, 3.1.0
Affects Version/s: 2.4.8, 2.5.4
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Backport Completed:

3.0.3
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

Currently, anytime an access-control enabled mongod or mongos receive a new connection from localhost, it must issue a query against admin.system.user to determine if there are any users defined in the system, and thus whether or not to grant the connection full access according to the localhost auth bypass.

If we determine that there is in fact a user defined, and thus the localhost exception should not be in effect, we cache that information on the connection so that that connection does not have to query admin.system.users for this purpose again.

We should instead cache the existence of an admin user process-wide so it only needs to be checked once, not once on every new connection.

is duplicated by

SERVER-17845 Running the dropDatabase command can cause an election to occur

Closed

is related to

SERVER-12236 Don't query admin.system.users on new localhost connections if the localhost auth bypass has been explicitly disabled

Closed

SERVER-17034 Deadlock between poorly-formed copydb and reading admin.system.users for localhost exception check

Closed

SERVER-18415 Dropping admin user doesn't reenable localhost exception

Closed

Assignee:: Matt Dannenberg (Inactive)
Reporter:: Spencer Brody (Inactive)
Participants:: Amalia Hawkins, Andy Schwerin, Githook User, Matt Dannenberg, Spencer Brody
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Jan 02 2014 07:44:17 PM UTC
Updated:: Sep 19 2015 12:16:36 AM UTC
Resolved:: Feb 26 2015 08:14:17 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates