[SERVER-30247] Auditing login messages should contain roles user has at login time and whenever they change Created: 20/Jul/17 Updated: 30/Oct/23 Resolved: 26/Feb/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Osmar Olivo | Assignee: | Benjamin Caimano (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | gm-ack, neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Sprint: | Security 2021-02-22, Security 2021-03-08 |
| Participants: |
| Description |
|
External authorization mean that someones external groups may change, which in turn changes their MongoDB credentials, but no audit entry is produced for MongoDB. It therefore makes it very difficult to answer a question like "What permissions did this user have that allowed them to do this?" |
| Comments |
| Comment by Benjamin Caimano (Inactive) [ 26/Feb/21 ] |
|
I've confirmed that the role information is included and written a test to guarantee this going forward. |
| Comment by Githook User [ 26/Feb/21 ] |
|
Author: {'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}Message: |
| Comment by Gregory McKeon (Inactive) [ 21/Jul/17 ] |
|
is this ready to go into the epic? |
| Comment by Osmar Olivo [ 21/Jul/17 ] |
|
Good point. Yes, I meant roles. |
| Comment by Andy Schwerin [ 20/Jul/17 ] |
|
That could be a very long list. Would the list of roles be enough, since the role-privilege mapping is stored in mongodb and is/could be audited on change? |