[SERVER-12512] Add role-based, selective audit logging. Created: 28/Jan/14  Updated: 27/Oct/15  Resolved: 21/Jul/14

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: None
Fix Version/s: 2.6.4, 2.7.4

Type: New Feature Priority: Major - P3
Reporter: Rob Young (Inactive) Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: Auditing
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by SERVER-13977 Allow filtering by roles for auditing Closed
Related
related to SERVER-12551 Audit DML/CRUD operations Closed
is related to DOCS-3900 Add documentation for Audit by roles ... Closed
Tested
Backwards Compatibility: Minor Change
Backport Completed:
Participants:

 Description   

For compliance, many organizations are required to audit/log the activity of all or selected users of specific resources. Our current auditing implementation provides a way to specify selective logging by operation type or by acting user, which are fields in the audit log message. However, there is currently no way to log the actions of all users possessing a given role.

We should add the option to isolate and filter user activity logging based on which users possess a certain role. For example, I should be able to specify "audit log all actions taken by users with the userAdmin role on the admin database" or a list of roles such as "audit log all actions taken by users with the dbAdmin role on the foo database or the userAdmin role on the foo database or the readWrite role on the bar database."

Note that roles are defined on a database, i.e. role foo on database bar, and the user should specify a role in this manner. We may wish to provide the user with some sort of wildcard option, i.e. role foo on all databases.



 Comments   
Comment by Amalia Hawkins [ 06/Aug/14 ]

Fixed.

Comment by Atul Kachru [ 06/Aug/14 ]

Question amalia.hawkins@10gen.com:
This ticket has Backport completed, but only a 2.7.5 fix version. Should there be a patch fix version as well?

Comment by Githook User [ 22/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12512: Add role-based, selective audit logging.

(cherry picked from commit f2d47ee)
Branch: v2.6
https://github.com/mongodb/mongo/commit/468ef06587e6d2cf2be4ea845ebb3ce22d523141

Comment by Githook User [ 22/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12512: Add role-based, selective audit logging.

(cherry picked from commits 241389c and 834d8c6)
Branch: v2.6
https://github.com/10gen/mongo-enterprise-modules/commit/98be5cb54cc1bbf3f8aef94ef8cc623073ffe29e

Comment by Githook User [ 21/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12512 fix uassert error codes
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/834d8c6b57c01a5ff72ea3790a903c74683ab214

Comment by Githook User [ 21/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12512: Add role-based, selective audit logging.
Branch: master
https://github.com/mongodb/mongo/commit/f2d47ee02a94f56b29e1874aebf8ae4dca222d2e

Comment by Githook User [ 21/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12512: Add role-based, selective audit logging.
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/241389c715f1f8d2b4c1c3efebca9d499661b64f

Comment by Eric Milkie [ 16/Jul/14 ]

backwards compatibility -> minor change, due to audit log format change.

Generated at Thu Feb 08 03:28:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.