Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-65777

"revokePrivilegesFromRole" param.ns missing user object in audit log

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 6.0.0-rc7, 5.0.10, 6.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      MongoDB shell version v5.0.3
    • Minor Change
    • v6.0, v5.0
    • Security 2022-05-16

      Problem Statement/Rationale

      When revoking a previlege from a role (aka. revokePrivilegesFromRole), the corresponding audit logs (1 with atype: authCheck, and 1 with atype: revokePrivilegesFromRole) should have include both the database and the role name in param.ns.

       

      Steps to Reproduce

      1. Revoke a previlege from a role.
      2. Check the audit log that was produced.

      Expected Results

      It should produce a log that resembles this: 

      • param.ns should have BOTH the db and the role. 
        { "atype" : "authCheck", "ts" : { "$date" : "2022-04-14T21:00:01.873+00:00" }, "uuid" : { "$binary" : "isi10Tt7SjuEmUTyiOW2Wg==", "$type" : "04" }, "local" : { "ip" : "172.31.80.31", "port" : 27017 }, "remote" : { "ip" : "172.31.64.227", "port" : 57258 }, "users" : [ { "user" : "jackAdmin", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" } ], "param" : { "command" : "revokePrivilegesFromRole", "ns" : "tlcdb.tester", "args" : { "revokePrivilegesFromRole" : "tester", "privileges" : [ { "resource" : { "db" : "tlcdb", "collection" : "testcoll" }, "actions" : [ "find" ] } ], "writeConcern" : { "w" : "majority", "wtimeout" : 600000 }, "lsid" : { "id" : { "$binary" : "rJAp+YHMTH2gQZOI7Xrppw==", "$type" : "04" } }, "$db" : "tlcdb" } }, "result" : 0 }

        Actual Results

      It produces the following log:

      * param.ns only has the db name. It is missing the role that should come after the period.

      { "atype" : "authCheck", "ts" : { "$date" : "2022-04-14T21:00:01.873+00:00" }, "uuid" : { "$binary" : "isi10Tt7SjuEmUTyiOW2Wg==", "$type" : "04" }, "local" : { "ip" : "172.31.80.31", "port" : 27017 }, "remote" : { "ip" : "172.31.64.227", "port" : 57258 }, "users" : [ { "user" : "jackAdmin", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" } ], "param" : { "command" : "revokePrivilegesFromRole", "ns" : "tlcdb.", "args" : { "revokePrivilegesFromRole" : "tester", "privileges" : [ { "resource" : { "db" : "tlcdb", "collection" : "testcoll" }, "actions" : [ "find" ] } ], "writeConcern" : { "w" : "majority", "wtimeout" : 600000 }, "lsid" : { "id" : { "$binary" : "rJAp+YHMTH2gQZOI7Xrppw==", "$type" : "04" } }, "$db" : "tlcdb" } }, "result" : 0 }

       

      Additional Notes

      Any additional information that may be useful to include.

        1. diff.png
          79 kB
          Chris Kelly

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            jackp7640@gmail.com Jack Park
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: