Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-71605

Provide option to deduplicate impersonated user and role information

    XMLWordPrintableJSON

Details

    • Task
    • Status: Open
    • Major - P3
    • Resolution: Unresolved
    • None
    • None
    • None
    • None
    • Security

    Description

      Today, impersonated user information is included on slow query logs inside of the $audit object. It is present whenever a server is performing a request proxied by another server authenticated as the __system user. This includes both the impersonated username and its roles, which can be arbitrarily large. In at least one case, this has caused very large logs since the impersonated user had many roles sourced from LDAP group membership, eventually causing the log file to become too large.

      To mitigate this, we can consider introducing some kind of option to either filter impersonated users/roles entirely from the logs or deduplicate just the roles from the usernames.

      Attachments

        Issue Links

          Activity

            People

              backlog-server-security Backlog - Security Team
              varun.ravichandran@mongodb.com Varun Ravichandran
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: