[SERVER-11526] GrantPrivilegesToRole and RemovePrivilegesFromRole audit record shows *all* privileges not *granted* privileges Created: 01/Nov/13  Updated: 11/Jul/16  Resolved: 01/Nov/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: bard.bloom@10gen.com Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

The audit record lists all the privileges the role has, not just the granted ones.

Here's BSON format

            {u'remote': {u'ip': u'127.0.0.1', u'port': 44284}, u'users': [{u'userSource': u'admin', u'user': u'admin'}], u'atype': u'grantPrivilegesToRole', u'ts': datetime.datetime(2013, 11, 1, 16, 51, 51, 37000, tzinfo=<bson.tz_util.FixedOffset object at 0x238da50>), u'param': {u'db': u'roledb34', u'privileges': [{u'resource': {u'db': u'roledb34', u'collection': u'thrip'}, u'actions': [u'createRole', u'createUser', u'dropUser']}, {u'resource': {u'db': u'admin', u'collection': u''}, u'actions': [u'collStats', u'dbHash', u'dbStats', u'find', u'killCursors']}, {u'resource': {u'db': u'admin', u'collection': u'system.indexes'}, u'actions': [u'collStats', u'dbHash', u'dbStats', u'find', u'killCursors']}, {u'resource': {u'db': u'admin', u'collection': u'system.js'}, u'actions': [u'collStats', u'dbHash', u'dbStats', u'find', u'killCursors']}, {u'resource': {u'db': u'admin', u'collection': u'system.namespaces'}, u'actions': [u'collStats', u'dbHash', u'dbStats', u'find', u'killCursors']}], u'role': u'role36'}, u'result': 0, u'local': {u'ip': u'127.0.0.1', u'port': 27017}}

Here's text format.

            2013-11-01T12:58:02.636-0400 admin@admin 127.0.0.1:44302/127.0.0.1:27017 Granted to role role72@roledb70 the privileges: { resource: { db: "roledb70", collection: "thrip" }, actions: [ "createRole", "createUser", "dropUser" ] }, { resource: { db: "admin", collection: "" }, actions: [ "collStats", "dbHash", "dbStats", "find", "killCursors" ] }, { resource: { db: "admin", collection: "system.indexes" }, actions: [ "collStats", "dbHash", "dbStats", "find", "killCursors" ] }, { resource: { db: "admin", collection: "system.js" }, actions: [ "collStats", "dbHash", "dbStats", "find", "killCursors" ] }, { resource: { db: "admin", collection: "system.namespaces" }, actions: [ "collStats", "dbHash", "dbStats", "find", "killCursors" ] }.
 

RemovePrivileges has the same problem. That's even worse — it lists as removed all the aspects of the role EXCEPT those which were removed.



 Comments   
Comment by auto [ 01/Nov/13 ]

Author:

{u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}

Message: SERVER-11526 pass the correct privileges to the auditlogging of (grant|revoke)Privileges(To|From)Role
Branch: master
https://github.com/mongodb/mongo/commit/948ae1886077c520d5adc73840858d6bf79ca4af

Generated at Thu Feb 08 03:26:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.