SERVER-12235 Cache whether any users exist for checking whether the l…

…ocalhost exception should be in effect
mongodb · Feb 26, 2015 · 85d2238 · 85d2238
1 parent 6769eca
commit 85d2238
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp
@@ -254,6 +254,7 @@ namespace mongo {
 
     AuthorizationManager::AuthorizationManager(AuthzManagerExternalState* externalState) :
             _authEnabled(false),
+            _privilegeDocsExist(false),
             _externalState(externalState),
             _version(schemaVersionInvalid),
             _isFetchPhaseBusy(false) {
@@ -305,8 +306,22 @@ namespace mongo {
         return _authEnabled;
     }
 
-    bool AuthorizationManager::hasAnyPrivilegeDocuments(OperationContext* txn) const {
-        return _externalState->hasAnyPrivilegeDocuments(txn);
+    bool AuthorizationManager::hasAnyPrivilegeDocuments(OperationContext* txn) {
+        boost::unique_lock<boost::mutex> lk(_privilegeDocsExistMutex);
+        if (_privilegeDocsExist) {
+            // If we know that a user exists, don't re-check.
+            return true;
+        }
+
+        lk.unlock();
+        bool privDocsExist = _externalState->hasAnyPrivilegeDocuments(txn);
+        lk.lock();
+
+        if (privDocsExist) {
+            _privilegeDocsExist = true;
+        }
+
+        return _privilegeDocsExist;
     }
 
     Status AuthorizationManager::writeAuthSchemaVersionIfNeeded(OperationContext* txn,

diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h
@@ -179,8 +179,15 @@ namespace mongo {
          */
         OID getCacheGeneration();
 
-        // Returns true if there exists at least one privilege document in the system.
-        bool hasAnyPrivilegeDocuments(OperationContext* txn) const;
+        /**
+         * Returns true if there exists at least one privilege document in the system.
+         * Used by the AuthorizationSession to determine whether localhost connections should be
+         * granted special access to bootstrap the system.
+         * NOTE: If this method ever returns true, the result is cached in _privilegeDocsExist,
+         * meaning that once this method returns true it will continue to return true for the
+         * lifetime of this process, even if all users are subsequently dropped from the system.
+         */
+        bool hasAnyPrivilegeDocuments(OperationContext* txn);
 
         /**
          * Updates the auth schema version document to reflect the current state of the system.
@@ -478,6 +485,14 @@ namespace mongo {
          */
         bool _authEnabled;
 
+        /**
+         * A cache of whether there are any users set up for the cluster.
+         */
+        bool _privilegeDocsExist;
+
+        // Protects _privilegeDocsExist
+        mutable boost::mutex _privilegeDocsExistMutex;
+
         boost::scoped_ptr<AuthzManagerExternalState> _externalState;
 
         /**