[SERVER-47504] Prepopulate state for AuthzSessionExternalStateServerCommon::_checkShouldAllowLocalhost Created: 13/Apr/20  Updated: 29/Oct/23  Resolved: 30/Apr/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.7.0

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-47515 Skip config validation if contents ha... Closed
Backwards Compatibility: Minor Change
Sprint: Security 2020-05-04
Participants:
Linked BF Score: 42

 Description   

AuthzSessionExternalStateServerCommon::_checkShouldAllowLocalhost is used to identify when the localhost auth bypass should be enabled. Running it will require taking storage locks, if the bypass hasn't previously been detected as having been disabled.
Normally authentication or authorization attempts as the internal cluster user will never take locks, because this user's User description is always cached in memory. However, the localhost auth bypass might need to be checked.

Instead of performing a disk access during command dispatch, we could perform this check in two parts.
1) On startup, check if users exist in `admin.system.users`. If yes, disable the localhost auth bypass.
2) In the AuthZN subsystem's OpObserver, record when an event which should invalidate the bypass occurs, and globally disable it.



 Comments   
Comment by Githook User [ 30/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-47504 Ensure auth db changes replicate to secondaries during test
Branch: master
https://github.com/mongodb/mongo/commit/e48de0023a5df4f752bd46facef8da51b0bc31f7

Comment by Githook User [ 30/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-47504 Trigger disable of localhost auth bypass more proactively
Branch: master
https://github.com/mongodb/mongo/commit/599fccf5b5f4e7836a2f7fa0a90586b8df84cb36

Generated at Thu Feb 08 05:14:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.