Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

DOCS-2358 drop role behaviors

Signed-off-by: Sam Kleinman <samk@10gen.com>
  • Loading branch information...
commit fce42b3b177d2ab11d9c791b53732fd88bd5c183 1 parent aede86c
@bgrabar bgrabar authored tychoish committed
View
8 config/htaccess-next.yaml
@@ -1108,4 +1108,12 @@ code: 303
outputs:
- 'manual'
- 'before-v2.4'
+---
+redirect-path: '/reference/command/invalidateUserCache'
+url-base: '/reference/security'
+type: 'redirect'
+code: 303
+outputs:
+ - 'manual'
+ - 'before-v2.4'
...
View
18 source/includes/behavior-drop-role.rst
@@ -0,0 +1,18 @@
+When you drop a role, users authenticated with the role lose the role's
+privileges but remain logged in. They continue to have privileges from other
+roles.
+
+If a user is authenticated with the role on a :program:`mongod`, the user
+loses the role's privileges immediately. If the user is authenticated on a
+:program:`mongos`, the user loses access when the user cache refreshes,
+which occurs either automatically through the
+:parameter:`userCacheInvalidationIntervalSecs` parameter or manually through
+the :dbcommand:`invalidateUserCache` command. The user loses access
+immediately on the :program:`mongos` used to make the change.
+The default
+setting for the :parameter:`userCacheInvalidationIntervalSecs` parameter
+is 600 seconds (i.e., 10 minutes).
+
+When you drop a role, MongoDB first revokes the role from all users that
+currently have it, then revokes it from other roles, and finally removes
+the role definition itself from the database.
View
1  source/includes/list-set-parameters-mongos.rst
@@ -7,5 +7,6 @@
- :parameter:`supportCompatibilityFormPrivilegeDocuments`
- :parameter:`syncdelay`
- :parameter:`textSearchEnabled`
+- :parameter:`userCacheInvalidationIntervalSecs`
.. - :parameter:`releaseConnectionsAfterResponse`
View
4 source/includes/ref-toc-command-role-management.yaml
@@ -33,4 +33,8 @@ description: "Removes specified inherited roles from a user-defined role."
name: :dbcommand:`rolesInfo`
file: /reference/command/rolesInfo
description: "Returns information for the specified role or roles."
+---
+:dbcommand:`invalidateUserCache`
+file: /reference/command/invalidateUserCache
+description: "Purges the in-memory cache of user information, including credentials and roles."
...
View
30 source/reference/command/invalidateUserCache.txt
@@ -0,0 +1,30 @@
+===================
+invalidateUserCache
+===================
+
+.. default-domain:: mongodb
+
+Definition
+----------
+
+.. dbcommand:: invalidateUserCache
+
+ .. versionadded:: 2.6
+
+ Flushes user information from in-memory cache, including removal of each user's
+ credentials and roles. This allows you to purge the cache
+ at any given moment, regardless of the
+ interval set in the :parameter:`userCacheInvalidationIntervalSecs` parameter.
+
+ :dbcommand:`invalidateUserCache` has the following syntax:
+
+ .. code-block:: javascript
+
+ db.runCommand( { invalidateUserCache: 1 } )
+
+Required Access
+---------------
+
+You must have privileges that include the
+:authaction:`invalidateUserCache` action on the cluster resource in order
+to use this command.
View
1  source/reference/command/setParameter.txt
@@ -30,5 +30,6 @@ setParameter
- :parameter:`textSearchEnabled`
- :parameter:`sslMode`
- :parameter:`clusterAuthMode`
+ - :parameter:`userCacheInvalidationIntervalSecs`
.. slave-ok, admin-only
View
10 source/reference/configuration-options.txt
@@ -744,6 +744,16 @@ Settings
of an index build. When you specify :option:`--noIndexBuildRetry`,
:program:`mongod` will not attempt to rebuild the index.
+.. setting:: userCacheInvalidationIntervalSecs
+
+ .. versionadded:: 2.6
+
+ *Default:* 600
+
+ Specifies the time interval in seconds before MongoDB purges
+ the in-memory cache of user information, which includes each user's
+ credentials and roles.
+
Replication Options
~~~~~~~~~~~~~~~~~~~
View
17 source/reference/parameters.txt
@@ -1,6 +1,6 @@
-=====================
-``mongod`` Parameters
-=====================
+=========================
+MongoDB Server Parameters
+=========================
.. default-domain:: mongodb
@@ -412,3 +412,14 @@ Parameters
.. code-block:: sh
mongod --setParameter newCollectionsUsePowerOf2Sizes=false
+
+.. parameter:: userCacheInvalidationIntervalSecs
+
+ .. versionadded:: 2.6
+
+ *Default*: 600.
+
+ On a :program:`mongos` instance, this specifies the amount of time in
+ seconds to allow before the
+ :program:`mongos` instance purges the in-memory cache of user objects.
+ The cache includes the users' credentials and roles.
Please sign in to comment.
Something went wrong with that request. Please try again.