-
Type: Task
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:None
Description
Cloud:
Automation agent can sometimes perform raw inserts and updates to admin.system.users. These are probably not being audited currently, and they will be after present change. It might be nice to get the agent to use createUser/updateUser to get clearer audit log entries, and allow server to evolve the document format without breaking Automation, or preventing automation from taking advantage of new functionality.
Docs:
this change introduces new type of audit: directAuthMutation . Please see following file for all payloads it could emit:
jstests/audit/crud-user-role-direct.js
Description of Linked Ticket
We should consider moving the audit hooks from the User Management Commands to the AuthOpObserver, which would invoke them solely on primaries. When a primary performs a write to these system collections, either as a part of a User Management Command or as part of a CRUD operation, the hook will check whether the generated oplog event implies that an authorization audit event should be recorded. If yes and the current node is a primary, it will invoke the audit hook. Because primaries invoke OpObserves in the catalog layer while clients perform operations, the active OperationContext will contain the client's authentication and authorization state.
Scope of changes
Impact to Other Docs
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
- documents
-
SERVER-53962 Move UMC audit hooks to OpObservers
- Closed