[SERVER-30247] Auditing login messages should contain roles user has at login time and whenever they change Created: 20/Jul/17  Updated: 30/Oct/23  Resolved: 26/Feb/21

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Improvement Priority: Major - P3
Reporter: Osmar Olivo Assignee: Benjamin Caimano (Inactive)
Resolution: Fixed Votes: 0
Labels: gm-ack, neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: Security 2021-02-22, Security 2021-03-08
Participants:

 Description   

External authorization mean that someones external groups may change, which in turn changes their MongoDB credentials, but no audit entry is produced for MongoDB. It therefore makes it very difficult to answer a question like "What permissions did this user have that allowed them to do this?"



 Comments   
Comment by Benjamin Caimano (Inactive) [ 26/Feb/21 ]

I've confirmed that the role information is included and written a test to guarantee this going forward.

Comment by Githook User [ 26/Feb/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-30247 Verify roles are included with authCheck audits
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/368aea3c50dfbfe640f4b430dcb7f0123c248b6d

Comment by Gregory McKeon (Inactive) [ 21/Jul/17 ]

is this ready to go into the epic?

Comment by Osmar Olivo [ 21/Jul/17 ]

Good point. Yes, I meant roles.

Comment by Andy Schwerin [ 20/Jul/17 ]

That could be a very long list. Would the list of roles be enough, since the role-privilege mapping is stored in mongodb and is/could be audited on change?

Generated at Thu Feb 08 04:23:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.