AuthzSessionExternalStateServerCommon::_checkShouldAllowLocalhost is used to identify when the localhost auth bypass should be enabled. Running it will require taking storage locks, if the bypass hasn't previously been detected as having been disabled.
Normally authentication or authorization attempts as the internal cluster user will never take locks, because this user's User description is always cached in memory. However, the localhost auth bypass might need to be checked.
Instead of performing a disk access during command dispatch, we could perform this check in two parts.
1) On startup, check if users exist in `admin.system.users`. If yes, disable the localhost auth bypass.
2) In the AuthZN subsystem's OpObserver, record when an event which should invalidate the bypass occurs, and globally disable it.
- is related to
-
SERVER-47515 Skip config validation if contents have not changed to avoid isSelf call during reconfig on step up
- Closed