[SERVER-11380] authCheck action gives wrong or no audit message Created: 25/Oct/13  Updated: 10/Dec/14  Resolved: 28/Oct/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: bard.bloom@10gen.com Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-11386 authCheck documentation should reflec... Closed
Operating System: ALL
Participants:

 Description   

The spec for auditing authCheck says that the message will be one of the
following:

Access granted for <command/args> [on <ns>]. 
Access denied for <command/args> [on <ns>]. 

For DENIED access, we have the minor problem that the "on <ns>" and "for <command>" are reversed in the log file. (The exotic characters in database and collection name are being used to check wide-character support.)

            2013-10-25T13:01:20.861-0400 user2@db1 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Access denied on dbЖ7.cӜ8 for { insert: "cӜ8", documents: [ { _id: ObjectId('526aa3e068ead9114ea98ade'), field: true, feild: false, feeld: false, fiild: false } ] }.

For GRANTED access, we have the larger problem that no message is logged at
all. Here's the full set of logging messages for this test case.

            2013-10-25T13:01:20.865-0400 admin@admin 127.0.0.1:59095/127.0.0.1:27017 000000000000000000000000.0 Created user userאب12@dbא10 with password without customData, with the following roles: readWrite@dbא10.
            2013-10-25T13:01:20.866-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Authentication succeeded for userאب12@dbא10 using mechanism MONGODB-CR.
            2013-10-25T13:01:20.867-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.cب11.
            2013-10-25T13:01:20.882-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.system.namespaces.
            2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.system.indexes.
            2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created index _id_ on dbא10.cب11 as 0x7f96c4c475b0.
            2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created database dbא10.

The actions being run here are:
1. Create a user user12 on a new database db10
2. Log in as user12
3. Insert a record.

In the audit log, we see the user creation (1), the login (2), and the various
creations that come from making a new collection in a new database. But no
"Access granted" message.



 Comments   
Comment by Matt Dannenberg [ 28/Oct/13 ]

spec updated

Comment by bard.bloom@10gen.com [ 25/Oct/13 ]

I agree with Eric.

Comment by Eric Milkie [ 25/Oct/13 ]

I wonder if we should change the spec to reflect the way the code logs denials. The command object can get pretty long so it's easier to skim if the namespace appears first in the message.

As far as auditing successful authorizations, this was subtle but in the spec it says " (only access denied for 2.6?) " in the notes for authCheck action type. I should remove the question mark as this is definite now for 2.6. It will not have support for logging authorization successes.

Generated at Thu Feb 08 03:25:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.