[SERVER-12235] Don't require a database read on every new localhost connection when auth is on Created: 02/Jan/14 Updated: 19/Sep/15 Resolved: 26/Feb/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.4.8, 2.5.4 |
| Fix Version/s: | 3.0.3, 3.1.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Matt Dannenberg |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Backport Completed: | |||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Description |
|
Currently, anytime an access-control enabled mongod or mongos receive a new connection from localhost, it must issue a query against admin.system.user to determine if there are any users defined in the system, and thus whether or not to grant the connection full access according to the localhost auth bypass. If we determine that there is in fact a user defined, and thus the localhost exception should not be in effect, we cache that information on the connection so that that connection does not have to query admin.system.users for this purpose again. We should instead cache the existence of an admin user process-wide so it only needs to be checked once, not once on every new connection. |
| Comments |
| Comment by Githook User [ 09/Apr/15 ] |
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}Message: |
| Comment by Githook User [ 08/Apr/15 ] |
|
Author: {u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'}Message: Revert " This reverts commit ebb1fd748b02c90453d2933430f3345edec9ee9c. |
| Comment by Githook User [ 08/Apr/15 ] |
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}Message: |
| Comment by Amalia Hawkins [ 03/Apr/15 ] |
|
schwerin, based on the outcome of |
| Comment by Andy Schwerin [ 03/Mar/15 ] |
|
spencer, I'm not inclined to backport this to 3.0 branch. If you think there's a strong reason to backport it, please re-request backport and describe your reason in the comments. |
| Comment by Githook User [ 26/Feb/15 ] |
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}Message: |
| Comment by Spencer Brody (Inactive) [ 27/Jan/15 ] |
|
It seems like checking for the presence of user docs every time a new connection is established could be contributing to replica set failovers in overloaded systems. Implementing this ticket will eliminate that behavior and should help reduce the spurious failovers. Thus bumping this to 3.1.0 and marking for backport to 3.0.x. |