Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13850

Make sure user cache entry is up to date before using it to determine a user's roles in user management commands on mongos

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.6.1
    • Fix Version/s: 2.6.2, 2.7.1
    • Component/s: Security, Sharding
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:

      Description

      Issue Status as of May 14, 2014

      ISSUE SUMMARY
      When a grantRolesToUser or revokeRolesFromUser command is run on a mongos, the mongos does not check whether the entry in the user cache for that user is out of date. It can thus overwrite role changes that were made from another mongos.

      USER IMPACT
      In systems where users are administered via multiple mongos some changes may not persist and get overwritten. This can lead to users not having the correct permissions.

      WORKAROUNDS
      Modify users only via a single mongos if possible. If that is not an option, calling the invalidateUserCache command before making any role changes will minimize the risk of overwriting changes from another mongos (but not completely avoid it due to the existing race condition).

      AFFECTED VERSIONS
      Version 2.6.0 and 2.6.1 were affected by this bug.

      FIX VERSION
      The patch is included in the 2.6.2 production release.

      RESOLUTION DETAILS
      mongos now ensures that the cache entry for a user document is up to date before updating a user.

      Original description

      Currently it is possible to get into a situation where a user's roles are changed on one mongos, then another mongos receives a grantRolesToUser command and $sets the user's roles to something based on out of date information of the existing roles the user has.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: