Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11474

No auditing done by grantRolesToUser or revokeRolesFromUser

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Blocker - P1 Blocker - P1
    • 2.5.4
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • ALL
    • Hide

      A specific test case by hand. First start a mongod like this

      #!/bin/bash
echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})'

rm -r /tmp/mongoda
mkdir /tmp/mongoda

mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj

      And then revoke user privileges like this:

      admindb = db.getMongo().getDB('admin')

admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})

admindb.auth("uu","pp")

oinkdb = db.getMongo().getDB('oink')

oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]})

oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]})

admindb = db.getMongo().getDB('admin')

print("Here comes output")

admindb.system.users.find().forEach(printjson)

      And look at the tail of the audit log file, where you can see the user oo
      getting created, but not the authority getting revoked.

      2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }.
2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin.
2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }.
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR.
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink.

      And to confirm that it happened, the last part of the shell output shows no
      roles for 'oo': 

      {
	"_id" : "oink.oo",
	"user" : "oo",
	"db" : "oink",
	"credentials" : {
		"MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d"
	},
	"roles" : [ ]
}
      Show
      A specific test case by hand. First start a mongod like this #!/bin/bash echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})' rm -r /tmp/mongoda mkdir /tmp/mongoda mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj And then revoke user privileges like this: admindb = db.getMongo().getDB('admin') admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]}) admindb.auth("uu","pp") oinkdb = db.getMongo().getDB('oink') oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]}) oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]}) admindb = db.getMongo().getDB('admin') print("Here comes output") admindb.system.users.find().forEach(printjson) And look at the tail of the audit log file, where you can see the user oo getting created, but not the authority getting revoked. 2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }. 2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin. 2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }. 2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR. 2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink. And to confirm that it happened, the last part of the shell output shows no roles for 'oo': { "_id" : "oink.oo", "user" : "oo", "db" : "oink", "credentials" : { "MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d" }, "roles" : [ ] }

      The grantRolesToUser and revokeRolesFromUser actions don't produce audit
      records.

      The spec says that they do for text output: 

      grantRolesToUser    NA     Granted to user <user>@<db> the roles: <role names>. 
revokeRolesFromUser NA     Revoked from user <user>@<db> the roles: <role names>.

      although, in a related bug, the spec doesn't list any bsonfile output for
      these actions.

      However, neither format actually produces any trace in the audit log.

            Assignee:
            matt.dannenberg Matt Dannenberg
            Reporter:
            bard.bloom@10gen.com bard.bloom@10gen.com
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: