When auth is enabled, no users are defined, and connections are made with the localhost exception, every operation will check to see if any users have been defined. This is because as soon as any users have been defined, the localhost exception no longer applies.

However, it is not clear from the logs that this check is being performed before every operation (even simple commands with no auth, like ping or isMaster). On a mongod, this is not so bad, but on mongos, this involves querying the first config server, which may have a substantial latency. This potential latency is not logged anywhere, nor is it included in the millis of the operation, which can be very confusing.

To help avoid this confusion, it would be useful if the logging in this area was strengthened. This could take the form of:

• Removing the ONCE around the "note: no users configured in admin.system.users, allowing localhost access" message (possibly only for mongos).
• Making this message more clearly indicate that until a user is configured, all subsequent operations will check if any users are defined (possibly only in mongos).
• In mongos, make _checkShouldAllowLocalhost() log when it is about to call hasAnyPrivilegeDocuments() (this is my preferred solution). The message could be something like "checking if any users are configured (for localhost access)".
• Anything else which clearly indicates that this check is being done (out of necessity).