Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11474

No auditing done by grantRolesToUser or revokeRolesFromUser

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker - P1 Blocker - P1
    • 2.5.4
    • None
    • None
    • ALL
    • Hide

      A specific test case by hand. First start a mongod like this

      #!/bin/bash
      echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})'
       
      rm -r /tmp/mongoda
      mkdir /tmp/mongoda
       
      mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj
       

      And then revoke user privileges like this:

      admindb = db.getMongo().getDB('admin')
       
      admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})
       
      admindb.auth("uu","pp")
       
      oinkdb = db.getMongo().getDB('oink')
       
      oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]})
       
      oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]})
       
      admindb = db.getMongo().getDB('admin')
       
      print("Here comes output")
       
      admindb.system.users.find().forEach(printjson)

      And look at the tail of the audit log file, where you can see the user oo
      getting created, but not the authority getting revoked.

      2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }.
      2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin.
      2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }.
      2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR.
      2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink.

      And to confirm that it happened, the last part of the shell output shows no
      roles for 'oo':

      {
      	"_id" : "oink.oo",
      	"user" : "oo",
      	"db" : "oink",
      	"credentials" : {
      		"MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d"
      	},
      	"roles" : [ ]
      }

      Show
      A specific test case by hand. First start a mongod like this #!/bin/bash echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})'   rm -r /tmp/mongoda mkdir /tmp/mongoda   mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj   And then revoke user privileges like this: admindb = db.getMongo().getDB('admin')   admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})   admindb.auth("uu","pp")   oinkdb = db.getMongo().getDB('oink')   oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]})   oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]})   admindb = db.getMongo().getDB('admin')   print("Here comes output")   admindb.system.users.find().forEach(printjson) And look at the tail of the audit log file, where you can see the user oo getting created, but not the authority getting revoked. 2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }. 2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin. 2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }. 2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR. 2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink. And to confirm that it happened, the last part of the shell output shows no roles for 'oo': { "_id" : "oink.oo", "user" : "oo", "db" : "oink", "credentials" : { "MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d" }, "roles" : [ ] }

    Description

      The grantRolesToUser and revokeRolesFromUser actions don't produce audit
      records.

      The spec says that they do for text output:

      grantRolesToUser    NA     Granted to user <user>@<db> the roles: <role names>. 
      revokeRolesFromUser NA     Revoked from user <user>@<db> the roles: <role names>. 

      although, in a related bug, the spec doesn't list any bsonfile output for
      these actions.

      However, neither format actually produces any trace in the audit log.

      Attachments

        Activity

          People

            matt.dannenberg Matt Dannenberg
            bard.bloom@10gen.com bard.bloom@10gen.com
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: