At the moment in a sharded, auth-enabled system local users on the replicas are required to perform maintenance operations on primaries and secondaries.

This is a confusing inconsistency since the main users of the system are maintained on the config servers and we generally disencourage creating local users. Examples of operations requiring this type of access is running compact.

Some possible strategies to solve this are:
1. As soon as sharding is enabled, let the replicas contact the config servers for auth, just like mongos does. This requires the replicas (including secondaries to have access to the config servers) and will require some mongos/config server fu be copied to mongod.

2. Synchronize the config server users down to the replicas via the primaries.
It is rather inconvenient and cludgy to introduce another information pushing channel in addition to mongos-primary and primary-secondary.