-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Security
-
None
-
Query Optimization
-
Fully Compatible
-
ALL
-
v8.0
-
QO 2024-07-08
-
200
There is a data race in the AuthorizationManagerImpl::_authEnabled flag whenÂ
UnauthorizedSessionIsCoauthorizedWithAnybodyWhenAuthIsDisabled and AuthorizedSessionIsCoauthorizedNobodyWhenAuthIsDisabled call authzManager->setAuthEnabled(false) outside of initialization time. At the same time, the JournalFlusher thread is reading its value through isAuthEnabled().
This is an unintended use of _authEnabled, which currently allows unsynchronized accesses because it's only expected to be set once at initialization time. To allow these unit tests (and future tests) to safely reset its value, _authEnabled should be made an atomic.