[SERVER-12236] Don't query admin.system.users on new localhost connections if the localhost auth bypass has been explicitly disabled Created: 02/Jan/14 Updated: 11/Jul/16 Resolved: 02/Jan/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.4.8, 2.5.4 |
| Fix Version/s: | 2.5.5 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Participants: | |||||||||
| Description |
|
Currently, anytime an access-control enabled mongod or mongos receive a new connection from localhost, it must issue a query against admin.system.user to determine if there are any users defined in the system, and thus whether or not to grant the connection full access according to the localhost auth bypass. We do this reads on admin.system.users even if the user has explicitly opted-out of the localhost exception by using setParameter=enableLocalhostAuthBypass=0. It should be trivial to avoid this unnecessary read when the localhost exception is disabled. |
| Comments |
| Comment by Githook User [ 02/Jan/14 ] |
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}Message: |