Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-53962

Move UMC audit hooks to OpObservers

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 5.0.0
    • None
    • Internal Code, Security
    • None
    • Minor Change
    • Security 2021-02-08, Security 2021-02-22

    Description

      We should consider moving the audit hooks from the User Management Commands to the AuthOpObserver, which would invoke them solely on primaries. When a primary performs a write to these system collections, either as a part of a User Management Command or as part of a CRUD operation, the hook will check whether the generated oplog event implies that an authorization audit event should be recorded. If yes and the current node is a primary, it will invoke the audit hook. Because primaries invoke OpObserves in the catalog layer while clients perform operations, the active OperationContext will contain the client's authentication and authorization state.

      Attachments

        1. log.json
          4 kB
        2. Results1.txt
          3 kB
        3. Results2.txt
          3 kB

        Activity

          People

            sergey.galtsev@mongodb.com Sergey Galtsev (Inactive)
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: