MongoDB | 2634681

Info

AuthorizationManagerImpl::invalidateUserByName constructs a new UserRequest from a username with empty roles and invalidates the cache entry mapping that key. The constructed request has an empty roles field since this method is only expected to be invoked for internal users who should not have already had roles when injected into the cache. As a result, an empty UserRequest object with nothing besides a name is expected to be sufficient to invalidate any entries corresponding to that username. This is not always correct. Some entries in the cache have UserRequests that contain a mechanismData field. This field is used when creating the hash of the object, so two UserRequests with the same username but different mechanismData fields can correspond to different entries on the cache. Therefore, it's not safe to assume that we can just construct a UserRequest object here. Instead, we should invalidate all entries with UserRequests wrapping the provided UserName.

Top User Comments

xgen-internal-githook commented on Tue, 9 Apr 2024 04:07:43 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon-corp'} Message: SERVER-89067 Broaden match criteria for AuthorizationManager::invalidateUserByName() (cherry picked from commit a218496adad5eb1d0ac222645f8d74bd1829715f) GitOrigin-RevId: 97400d196a2aeb76ae545e8907c1fbe120d620fa Branch: v8.0 https://github.com/mongodb/mongo/commit/6f703ce4f84f0b9f276627c258d040c5e28ecb5b xgen-internal-githook commented on Tue, 9 Apr 2024 01:56:35 +0000: Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon-corp'} Message: SERVER-89067 Broaden match criteria for AuthorizationManager::invalidateUserByName() GitOrigin-RevId: a218496adad5eb1d0ac222645f8d74bd1829715f Branch: master https://github.com/mongodb/mongo/commit/dbcce434459a2c348f03b5cb76583671a7844e60

Steps to Reproduce