Details
-
Improvement
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
Minor Change
-
Security 2021-02-08, Security 2021-02-22
Description
We should consider moving the audit hooks from the User Management Commands to the AuthOpObserver, which would invoke them solely on primaries. When a primary performs a write to these system collections, either as a part of a User Management Command or as part of a CRUD operation, the hook will check whether the generated oplog event implies that an authorization audit event should be recorded. If yes and the current node is a primary, it will invoke the audit hook. Because primaries invoke OpObserves in the catalog layer while clients perform operations, the active OperationContext will contain the client's authentication and authorization state.
Attachments
Issue Links
- duplicates
-
SERVER-49344 Audit hooks for authorization state changes should be moved to OpObservers
-
- Closed
-
- is documented by
-
DOCS-14223 Investigate changes in SERVER-53962: Move UMC audit hooks to OpObservers
-
- Closed
-