[SERVER-11386] authCheck documentation should reflect reality Created: 25/Oct/13 Updated: 11/Jul/16 Resolved: 25/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | bard.bloom@10gen.com | Assignee: | Matt Dannenberg |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Participants: | |||||||||
| Description |
|
The authCheck docs say "Client tried to perform the given operation, and was allowed/denied. Happens before any actions of the command, for purposes of the auditing guarantee. (only access denied for 2.6?)" Discussions with live engineers suggests that, indeed, only denied operations should be audit-logged. (Audit-logging every successful operation would amount to logging every database access of any kind, which would be prohibitive.) The code does this: denied operations are audit-logged, allowed ones are not. The documentation should reflect this decision with confidence and pride. |
| Comments |
| Comment by Matt Dannenberg [ 25/Oct/13 ] |
|
(only access denied will be present for MongoDB Enterprise 2.6) replaced the (only access denied for 2.6?) in the wiki/docs |