[SERVER-10745] Eliminate AuthorizationSession::hasInternalAuthorization() Created: 11/Sep/13  Updated: 02/Aug/18  Resolved: 20/Sep/13

Status: Closed
Project: Core Server
Component/s: Replication, Security
Affects Version/s: None
Fix Version/s: 2.5.3

Type: Task Priority: Major - P3
Reporter: Andy Schwerin Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

The AuthorizationSession::hasInternalAuthorization() method is implemented in terms of an outdated notion of "internal user". The only callers of the method are two implementations of replAuthentication(), which are essentially trying to provide a runtime check of a programming error. Specifically, the checks try to prevent a command running on behalf of a user (and not the cluster) from establishing a connection to another cluster member as a cluster member. However, this check provides no real safety. The errant programmer could simply pass "true" to the "skipAuthChecks" parameter of replAuthenticate() on the bad code path, or invoke a method that does.



 Comments   
Comment by auto [ 20/Sep/13 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-10745 Eliminate AuthorizationSession::hasInternalAuthorization() method.

This requires eliminating the "skipAuthCheck" parameter to replAuthenticate(), which
the linked jira ticket describes as folly, anyways.
Branch: master
https://github.com/mongodb/mongo/commit/a186a177704ea69502624c256f84b95e5832d86b

Generated at Thu Feb 08 03:23:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.