[SERVER-6620] Auth credentials should be invalidated when user is removed Created: 27/Jul/12  Updated: 28/Feb/22  Resolved: 15/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.3

Type: Improvement Priority: Critical - P2
Reporter: xie zhenye Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

all


Issue Links:
Depends
depends on SERVER-8580 User defined roles Closed
Duplicate
is duplicated by SERVER-2079 Authenticated Connections do not get ... Closed
is duplicated by SERVER-13148 Authentication still holds after user... Closed
is duplicated by SERVER-8591 Revoke privileges for connections aut... Closed
is duplicated by SERVER-5582 Reset authentication info on active c... Closed
Related
Participants:

 Description   

When dropping a database, any users with privilege documents in that database's system.users collection should have those privileges revoked.

Same is true for removing a user any other way.



 Comments   
Comment by Andy Schwerin [ 15/Oct/13 ]

In 2.5.3 and later, users for all databases are stored in a single collection in the admin database. There is a new command to drop all users associated with a given database (such users may exist even if the same-named database no longer exists). However, modulo that, this is resolved in 2.5.3 by the already completed parts of the implementation of SERVER-8580. In sharded systems, there is a delay for propagation of user information, which defaults to 10 minutes but is coarsely user-configurable.

Comment by xie zhenye [ 28/Jul/12 ]

and anthor problem:

while keeping connectiong, the user be deleted can still access the db and add user.

Generated at Thu Feb 08 03:12:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.