[SERVER-16364] Audit code should not redact the contents of CRUD operations Created: 01/Dec/14  Updated: 12/Aug/19  Resolved: 09/Aug/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Andy Schwerin Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-36606 Remove size limits on BSON audit events Closed
Related
related to SERVER-41634 Audit log entry for insertMany only i... Closed
Operating System: ALL
Sprint: Security 2019-08-12
Participants:

 Description   

As of 2.6.0, when commands authorization checks get logged for write command (insert, update, delete), if the command contains multiple actions (several inserts, say), the audit code only logs the number of actions, not the actions themselves. This was a side-effect of SERVER-12252.



 Comments   
Comment by Spencer Jackson [ 09/Aug/19 ]

This behaviour was observed again in SERVER-41634, and discovered to have been resolved by SERVER-36606.

Comment by Andy Schwerin [ 01/Dec/14 ]

This was the relevant commit: https://github.com/mongodb/mongo/commit/a6867c67c3fd2d3d3be3d13cba7840e3acedb575. The author was leveraging the fact that OpDebug::report calls redactForLogging, and the impact on the redaction in the audit code was a side effect.

Generated at Thu Feb 08 03:40:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.