[SERVER-11474] No auditing done by grantRolesToUser or revokeRolesFromUser Created: 30/Oct/13  Updated: 11/Jul/16  Resolved: 30/Oct/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Bug Priority: Blocker - P1
Reporter: bard.bloom@10gen.com Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Steps To Reproduce:

A specific test case by hand. First start a mongod like this

#!/bin/bash
echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})'
 
rm -r /tmp/mongoda
mkdir /tmp/mongoda
 
mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj
 

And then revoke user privileges like this:

admindb = db.getMongo().getDB('admin')
 
admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})
 
admindb.auth("uu","pp")
 
oinkdb = db.getMongo().getDB('oink')
 
oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]})
 
oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]})
 
admindb = db.getMongo().getDB('admin')
 
print("Here comes output")
 
admindb.system.users.find().forEach(printjson)

And look at the tail of the audit log file, where you can see the user oo
getting created, but not the authority getting revoked.

2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }.
2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin.
2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }.
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR.
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink.

And to confirm that it happened, the last part of the shell output shows no
roles for 'oo':

{
	"_id" : "oink.oo",
	"user" : "oo",
	"db" : "oink",
	"credentials" : {
		"MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d"
	},
	"roles" : [ ]
}

Participants:

 Description   

The grantRolesToUser and revokeRolesFromUser actions don't produce audit
records.

The spec says that they do for text output:

grantRolesToUser    NA     Granted to user <user>@<db> the roles: <role names>. 
revokeRolesFromUser NA     Revoked from user <user>@<db> the roles: <role names>. 

although, in a related bug, the spec doesn't list any bsonfile output for
these actions.

However, neither format actually produces any trace in the audit log.



 Comments   
Comment by auto [ 30/Oct/13 ]

Author:

{u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}

Message: SERVER-11474 connect auditLogging of revokeRolesFromUser and grantRolesToUser
Branch: master
https://github.com/mongodb/mongo/commit/d8ed1f0d9475f55943515f23ca33a93c9fa64aba

Generated at Thu Feb 08 03:25:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.