[SERVER-11192] Audit system cannot ascribe DDL operations in a sharded cluster to an end user. Created: 15/Oct/13  Updated: 20/Aug/20  Resolved: 10/Jan/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.3
Fix Version/s: 2.5.5

Type: Bug Priority: Critical - P2
Reporter: Andy Schwerin Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-50394 mongod audit log attributes DDL opera... Closed
is related to SERVER-1891 Audit "DDL" operations Closed
Operating System: ALL
Participants:

 Description   

Because the sharding system does not track the lifetime of databases, collections and indexes, mongos does not know when a database, collection or index is about to be created. As a result, it cannot place an entry into its local audit log about those events. However, it does know the identity of end users requesting operations. The mongod nodes involved do know about lifetime of these objects, but in a sharded system they do not know on behalf of which end user the event was triggered. We need some solution that ties these two pieces of information together.

The original auditing proposal was to attach operation ids to all operations, and have mongos report to mongod the id of each source operation that it delegated to mongod. Something like this is one possible solution. Another is to introduce a notion of end-user session, and have mongos inform mongod of the end-user session it is implementing by delegation to mongod. There may be other reasonable solutions, as well.



 Comments   
Comment by Githook User [ 10/Jan/14 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11192 make sure to set all instances of the runCommandHook, for special DBClients
Branch: master
https://github.com/mongodb/mongo/commit/7a06ec8610e2bae128fbac03bdedcf0f89199e90

Comment by Githook User [ 24/Dec/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11192 hook c++ driver to transmit mongos authenticated users to mongod, for auditing

Also, add UserNameIterator as a parallel to RoleIterator.
Branch: master
https://github.com/mongodb/mongo/commit/f148caa11e97727949b5e8594b7439856faff499

Comment by Githook User [ 24/Dec/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11192 impersonated user auditing

Two functions to help support impersonated user auditing for mongos.
One function is intended for mongos to use to append impersonated users
to its commands to shards.
The other function is used to process and remove that information on the
mongod side of parsing a command.
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/c1289f9849256b63a0c3e65c79bc69e07b394bed

Generated at Thu Feb 08 03:25:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.