If you have a sharded cluster all running on one machine, in 2.0 if you connect to the mongos via localhost and there are no admin users then it allows you full access to the mongos. Since the connections between mongos and mongod have full access anyway, this gives you full access to the cluster.

In 2.1.2+, however, authentication for commands is done on the mongods, with the credentials passed from mongos. Some machines will not consider the connection from the mongos to the mongods to be a localhost connection if the cluster was configured using the machine's hostname. This means that even though you connect to mongos on a local connection, some commands might still fail.

On the other hand, some machines DO recognize the connection between mongos and mongod as a localhost connection. On those machines if you add an admin user to the cluster, which should close the localhost backdoor, commands that are passed through to the mongods directly can still succeed, even without write authorization. In order to disable the localhost exception completely, you need to add admin users to each shard directly.

This only affects clusters that are all running on the same machine, so it's not really a security hole, it's more a problem for our test infrastructure because it makes the behavior of authentication in tests vary based on which machine the tests are run on, and whether or not the connections between the mongos and mongods get considered local or not (seems to be related to whether the hostname for itself on the machine resolves to 127.0.0.1, or to the machine's public IP address).