|
The constraints for redacting security-sensitive commands in command monitoring require the driver to check the command name against a pre-defined list (https://github.com/mongodb/specifications/blob/master/source/command-monitoring/command-monitoring.rst#security).
However, this gets complicated by things like speculative authentication, which mandates that drivers redact isMaster if the speculativeAuthenticate field is present. This is error prone because sending an isMaster command with that field does not guarantee that the reply will also have the field, so a driver checking both the request and response might redact the started event but publish the finished event.
This can be simplified by mandating that drivers must not publish events for any commands sent during the handshake, authentication, or SDAM routines. This way, any commands explicitly sent by the user are monitored and commands internally started by the driver are not.
|