[SERVER-6620] Auth credentials should be invalidated when user is removed Created: 27/Jul/12 Updated: 28/Feb/22 Resolved: 15/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.3 |
| Type: | Improvement | Priority: | Critical - P2 |
| Reporter: | xie zhenye | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
all |
||
| Issue Links: |
|
||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||
| Description |
|
When dropping a database, any users with privilege documents in that database's system.users collection should have those privileges revoked. Same is true for removing a user any other way. |
| Comments |
| Comment by Andy Schwerin [ 15/Oct/13 ] |
|
In 2.5.3 and later, users for all databases are stored in a single collection in the admin database. There is a new command to drop all users associated with a given database (such users may exist even if the same-named database no longer exists). However, modulo that, this is resolved in 2.5.3 by the already completed parts of the implementation of |
| Comment by xie zhenye [ 28/Jul/12 ] |
|
and anthor problem: while keeping connectiong, the user be deleted can still access the db and add user. |