Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-89067

Invalidate all user requests matching a user name

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.0.9, 8.1.0-rc0, 8.0.0-rc1, 7.3.2
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • Fully Compatible
    • ALL
    • v8.0, v7.3, v7.0
    • Security 2024-04-15

      AuthorizationManagerImpl::invalidateUserByName constructs a new UserRequest from a username with empty roles and invalidates the cache entry mapping that key. The constructed request has an empty roles field since this method is only expected to be invoked for internal users who should not have already had roles when injected into the cache. As a result, an empty UserRequest object with nothing besides a name is expected to be sufficient to invalidate any entries corresponding to that username.

      This is not always correct. Some entries in the cache have UserRequests that contain a mechanismData field. This field is used when creating the hash of the object, so two UserRequests with the same username but different mechanismData fields can correspond to different entries on the cache. 

      Therefore, it's not safe to assume that we can just construct a UserRequest object here. Instead, we should invalidate all entries with UserRequests wrapping the provided UserName.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            varun.ravichandran@mongodb.com Varun Ravichandran
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: