Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-71766

Include non-impersonated usernames in command metadata of slow query log

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Server Security

    Description

      When an operation is performed on a shard from a mongos, the mongos authenticates to the shard as the internal __system user. When logging the command's metadata, it propagates the actual end user's name and roles in a subdocument called $audit with two fields: $impersonatedUsers and $impersonatedRoles. This field does not appear in slow query logs for operations performed on a mongod from a directly-connected driver authenticated as a regular user.

      We should consider logging an operation's user's username in its slow query log even in non-impersonation cases so the information is always available.

       

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            varun.ravichandran@mongodb.com Varun Ravichandran
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: