diff options
| author | Spencer Jackson <spencer.jackson@mongodb.com> | 2019-12-30 19:49:26 +0000 |
|---|---|---|
| committer | evergreen <evergreen@mongodb.com> | 2019-12-30 19:49:26 +0000 |
| commit | b3622d185c1441622602f2a609932b42f8fecd3d (patch) | |
| tree | 5d1396543d0efc4ca220077c6f091e45617763a1 | |
| parent | 271d73eb1b7acfb5ed601c3219a65dcbf06a1f27 (diff) | |
| download | mongo-b3622d185c1441622602f2a609932b42f8fecd3d.tar.gz | |
SERVER-44922 Prevent User acquisition from incrementing cache generation
(cherry picked from commit 47a605826a64d55ff23427deab6f29c5999d1103)
| -rw-r--r-- | jstests/auth/mongos_cache_invalidation.js | 40 | ||||
| -rw-r--r-- | src/mongo/db/auth/authorization_manager_impl.cpp | 1 |
2 files changed, 33 insertions, 8 deletions
diff --git a/jstests/auth/mongos_cache_invalidation.js b/jstests/auth/mongos_cache_invalidation.js index 0917cb68f36..b66bcb1fad4 100644 --- a/jstests/auth/mongos_cache_invalidation.js +++ b/jstests/auth/mongos_cache_invalidation.js @@ -23,7 +23,7 @@ var st = new ShardingTest({ other: {shardAsReplicaSet: false} }); -st.s1.getDB('admin').createUser({user: 'root', pwd: 'pwd', roles: ['root']}); +st.s1.getDB('admin').createUser({user: 'root', pwd: 'pwd', roles: ['__system']}); st.s1.getDB('admin').auth('root', 'pwd'); var res = st.s1.getDB('admin').runCommand({setParameter: 1, userCacheInvalidationIntervalSecs: 0}); @@ -53,12 +53,12 @@ st.s0.getDB('test').createUser({ }); st.s0.getDB('admin').logout(); -var db1 = st.s0.getDB('test'); -db1.auth('spencer', 'pwd'); -var db2 = st.s1.getDB('test'); -db2.auth('spencer', 'pwd'); -var db3 = st.s2.getDB('test'); -db3.auth('spencer', 'pwd'); +const db1 = st.s0.getDB('test'); +assert(db1.auth('spencer', 'pwd')); +const db2 = st.s1.getDB('test'); +assert(db2.auth('spencer', 'pwd')); +const db3 = st.s2.getDB('test'); +assert(db3.auth('spencer', 'pwd')); /** * At this point we have 3 handles to the "test" database, each of which are on connections to @@ -213,6 +213,32 @@ db3.auth('spencer', 'pwd'); assert.commandFailedWithCode(db3.foo.runCommand("collStats"), authzErrorCode); })(); +(function testStaticCacheGeneration() { + jsTestLog("Testing that cache generations stay static across config server authentication"); + const cfg1 = st.configRS.getPrimary().getDB('admin'); + assert(cfg1.auth('root', 'pwd')); + + // Create a previously unauthenticated user which is not in the authorization cached + assert.commandWorked( + cfg1.runCommand({createUser: "previouslyUncached", pwd: "pwd", roles: []})); + + const oldRes = assert.commandWorked(cfg1.runCommand({_getUserCacheGeneration: 1})); + + // Authenticate as the uncached user + cfg1.logout(); + assert(cfg1.auth("previouslyUncached", "pwd")); + cfg1.logout(); + assert(cfg1.auth('root', 'pwd')); + + const newRes = assert.commandWorked(cfg1.runCommand({_getUserCacheGeneration: 1})); + assert.eq(oldRes.cacheGeneration, + newRes.cacheGeneration, + "User cache generation supriously incremented on config servers"); + + // Put connection to config server back into default state before shutdown + cfg1.logout(); +})(); + st.stop(); print("SUCCESS Completed mongos_cache_invalidation.js"); diff --git a/src/mongo/db/auth/authorization_manager_impl.cpp b/src/mongo/db/auth/authorization_manager_impl.cpp index 91d0f8d22a9..7b32a1f5559 100644 --- a/src/mongo/db/auth/authorization_manager_impl.cpp +++ b/src/mongo/db/auth/authorization_manager_impl.cpp @@ -592,7 +592,6 @@ StatusWith<UserHandle> AuthorizationManagerImpl::acquireUser(OperationContext* o if (_version == schemaVersionInvalid) _version = authzVersion; ret = _userCache.insertOrAssignAndGet(userName, std::move(user)); - _updateCacheGeneration_inlock(guard); } else { // If the cache generation changed while this thread was in fetch mode, the data // associated with the user may now be invalid, so we must mark it as such. The caller |