SERVER-9518 Use User cache to get credential information for authentication check

5 files changed, 18 insertions, 8 deletions

diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp
index b2ca9dceb41..d826579eaf2 100644
--- a/src/mongo/db/auth/authorization_manager.cpp
+++ b/src/mongo/db/auth/authorization_manager.cpp
@@ -655,6 +655,7 @@ namespace {
         unordered_map<UserName, User*>::iterator it = _userCache.find(userName);
         if (it != _userCache.end()) {
             fassert(16914, it->second);
+            fassert(17003, it->second->isValid());
             it->second->incrementRefCount();
             *acquiredUser = it->second;
             return Status::OK();
@@ -870,7 +871,7 @@ namespace {
 
                     if (source == dbname || source == "$external") {
                         status = _initializeUserCredentialsFromPrivilegeDocument(user,
-                                                                                        privDoc);
+                                                                                 privDoc);
                         if (!status.isOK()) {
                             return status;
                         }
diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h
index 0095926701f..80e298f81f6 100644
--- a/src/mongo/db/auth/authorization_manager.h
+++ b/src/mongo/db/auth/authorization_manager.h
@@ -127,11 +127,12 @@ namespace mongo {
         ActionSet getAllUserActions() const;
 
         /**
-         *  Returns the User object for the given userName in the out param "acquiredUser".
+         *  Returns the User object for the given userName in the out parameter "acquiredUser".
          *  If the user cache already has a user object for this user, it increments the refcount
          *  on that object and gives out a pointer to it.  If no user object for this user name
          *  exists yet in the cache, reads the user's privilege document from disk, builds up
-         *  a User object, sets the refcount to 1, and gives that out.
+         *  a User object, sets the refcount to 1, and gives that out.  The returned user may
+         *  be invalid by the time the caller gets access to it.
          *  The AuthorizationManager retains ownership of the returned User object.
          *  On non-OK Status return values, acquiredUser will not be modified.
          */
diff --git a/src/mongo/db/auth/user.cpp b/src/mongo/db/auth/user.cpp
index c54f7215fe7..f9a1f86014f 100644
--- a/src/mongo/db/auth/user.cpp
+++ b/src/mongo/db/auth/user.cpp
@@ -37,6 +37,10 @@ namespace mongo {
         return RoleNameIterator(new RoleNameSetIterator(_roles.begin(), _roles.end()));
     }
 
+    const User::CredentialData& User::getCredentials() const {
+        return _credentials;
+    }
+
     bool User::isValid() const {
         return _isValid.loadRelaxed() == 1;
     }
diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h
index 3795e3f4c6d..0e164797d33 100644
--- a/src/mongo/db/auth/user.h
+++ b/src/mongo/db/auth/user.h
@@ -63,6 +63,11 @@ namespace mongo {
         const RoleNameIterator getRoles() const;
 
         /**
+         * Returns the CredentialData for this user.
+         */
+        const CredentialData& getCredentials() const;
+
+        /**
          * Gets the set of actions this user is allowed to perform on the given resource.
          */
         const ActionSet getActionsForResource(const std::string& resource) const;
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index e05f0136e95..5b83a560924 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -195,17 +195,16 @@ namespace mongo {
             }
         }
 
-        BSONObj userObj;
-        string pwd;
-        Status status = getGlobalAuthorizationManager()->getPrivilegeDocument(
-                user.getDB().toString(), user, &userObj);
+        User* userObj;
+        Status status = getGlobalAuthorizationManager()->acquireUser(user, &userObj);
         if (!status.isOK()) {
             // Failure to find the privilege document indicates no-such-user, a fact that we do not
             // wish to reveal to the client.  So, we return AuthenticationFailed rather than passing
             // through the returned status.
             return Status(ErrorCodes::AuthenticationFailed, status.toString());
         }
-        pwd = userObj["pwd"].String();
+        string pwd = userObj->getCredentials().password;
+        getGlobalAuthorizationManager()->releaseUser(userObj);
 
         md5digest d;
         {