[SERVER-13850] Make sure user cache entry is up to date before using it to determine a user's roles in user management commands on mongos Created: 06/May/14  Updated: 11/Jul/16  Resolved: 14/May/14

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 2.6.1
Fix Version/s: 2.6.2, 2.7.1

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Participants:

 Description   
Issue Status as of May 14, 2014

ISSUE SUMMARY
When a grantRolesToUser or revokeRolesFromUser command is run on a mongos, the mongos does not check whether the entry in the user cache for that user is out of date. It can thus overwrite role changes that were made from another mongos.

USER IMPACT
In systems where users are administered via multiple mongos some changes may not persist and get overwritten. This can lead to users not having the correct permissions.

WORKAROUNDS
Modify users only via a single mongos if possible. If that is not an option, calling the invalidateUserCache command before making any role changes will minimize the risk of overwriting changes from another mongos (but not completely avoid it due to the existing race condition).

AFFECTED VERSIONS
Version 2.6.0 and 2.6.1 were affected by this bug.

FIX VERSION
The patch is included in the 2.6.2 production release.

RESOLUTION DETAILS
mongos now ensures that the cache entry for a user document is up to date before updating a user.

Original description

Currently it is possible to get into a situation where a user's roles are changed on one mongos, then another mongos receives a grantRolesToUser command and $sets the user's roles to something based on out of date information of the existing roles the user has.



 Comments   
Comment by Githook User [ 15/May/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-13850 Make sure cache entry is up to date before using it to update a user
(cherry picked from commit 06033e18fb1fe66d00f130227317d9ae531bb6f5)
Branch: v2.6
https://github.com/mongodb/mongo/commit/a07574aaa71a1fcea8239257bffef929f2fd53b3

Comment by Githook User [ 14/May/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-13850 Make sure cache entry is up to date before using it to update a user
Branch: master
https://github.com/mongodb/mongo/commit/06033e18fb1fe66d00f130227317d9ae531bb6f5

Generated at Thu Feb 08 03:33:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.