[SERVER-10745] Eliminate AuthorizationSession::hasInternalAuthorization() Created: 11/Sep/13 Updated: 02/Aug/18 Resolved: 20/Sep/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication, Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.3 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
The AuthorizationSession::hasInternalAuthorization() method is implemented in terms of an outdated notion of "internal user". The only callers of the method are two implementations of replAuthentication(), which are essentially trying to provide a runtime check of a programming error. Specifically, the checks try to prevent a command running on behalf of a user (and not the cluster) from establishing a connection to another cluster member as a cluster member. However, this check provides no real safety. The errant programmer could simply pass "true" to the "skipAuthChecks" parameter of replAuthenticate() on the bad code path, or invoke a method that does. |
| Comments |
| Comment by auto [ 20/Sep/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: This requires eliminating the "skipAuthCheck" parameter to replAuthenticate(), which |