[DOCS-14223] Investigate changes in SERVER-53962: Move UMC audit hooks to OpObservers Created: 12/Feb/21  Updated: 13/Nov/23  Resolved: 27/Jul/21

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 5.0.0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Jason Price
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-53962 Move UMC audit hooks to OpObservers Closed
Participants:
Days since reply: 2 years, 51 weeks, 5 days ago
Epic Link: DOCSP-9747
Story Points: 3

 Description   

Description

Downstream Change Summary

Cloud:

Automation agent can sometimes perform raw inserts and updates to admin.system.users. These are probably not being audited currently, and they will be after present change. It might be nice to get the agent to use createUser/updateUser to get clearer audit log entries, and allow server to evolve the document format without breaking Automation, or preventing automation from taking advantage of new functionality.

Docs:

this change introduces new type of audit: directAuthMutation . Please see following file for all payloads it could emit:

jstests/audit/crud-user-role-direct.js

Description of Linked Ticket

We should consider moving the audit hooks from the User Management Commands to the AuthOpObserver, which would invoke them solely on primaries. When a primary performs a write to these system collections, either as a part of a User Management Command or as part of a CRUD operation, the hook will check whether the generated oplog event implies that an authorization audit event should be recorded. If yes and the current node is a primary, it will invoke the audit hook. Because primaries invoke OpObserves in the catalog layer while clients perform operations, the active OperationContext will contain the client's authentication and authorization state.

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)


Generated at Thu Feb 08 08:09:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.