Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
-
ALL
Description
The spec for auditing authCheck says that the message will be one of the
following:
Access granted for <command/args> [on <ns>].
|
Access denied for <command/args> [on <ns>].
|
For DENIED access, we have the minor problem that the "on <ns>" and "for <command>" are reversed in the log file. (The exotic characters in database and collection name are being used to check wide-character support.)
2013-10-25T13:01:20.861-0400 user2@db1 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Access denied on dbЖ7.cӜ8 for { insert: "cӜ8", documents: [ { _id: ObjectId('526aa3e068ead9114ea98ade'), field: true, feild: false, feeld: false, fiild: false } ] }.
|
For GRANTED access, we have the larger problem that no message is logged at
all. Here's the full set of logging messages for this test case.
2013-10-25T13:01:20.865-0400 admin@admin 127.0.0.1:59095/127.0.0.1:27017 000000000000000000000000.0 Created user userאب12@dbא10 with password without customData, with the following roles: readWrite@dbא10.
|
2013-10-25T13:01:20.866-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Authentication succeeded for userאب12@dbא10 using mechanism MONGODB-CR.
|
2013-10-25T13:01:20.867-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.cب11.
|
2013-10-25T13:01:20.882-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.system.namespaces.
|
2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.system.indexes.
|
2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created index _id_ on dbא10.cب11 as 0x7f96c4c475b0.
|
2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created database dbא10.
|
The actions being run here are:
1. Create a user user12 on a new database db10
2. Log in as user12
3. Insert a record.
In the audit log, we see the user creation (1), the login (2), and the various
creations that come from making a new collection in a new database. But no
"Access granted" message.
Attachments
Issue Links
- related to
-
SERVER-11386 authCheck documentation should reflect reality
-
- Closed
-