[SERVER-50394] mongod audit log attributes DDL operations to the __system user in a sharded environment Created: 19/Aug/20  Updated: 29/Oct/23  Resolved: 18/Sep/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.0.20, 3.6.19
Fix Version/s: 4.8.0, 4.2.10, 4.4.2

Type: Bug Priority: Major - P3
Reporter: Eric Sedor Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Problem/Incident
Related
related to SERVER-50990 createIndex audit with user name Closed
related to SERVER-50991 audit createIndex on empty collection Closed
related to SERVER-50992 Include viewOn and pipeline in create... Closed
related to SERVER-50993 Audit dropCollection for views Closed
related to SERVER-50994 Audit of dropCollection during dropDa... Closed
is related to SERVER-11192 Audit system cannot ascribe DDL opera... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v4.4, v4.2, v4.0, v3.6
Sprint: Security 2020-09-21
Participants:
Case:
Linked BF Score: 50

 Description   

Seemingly related to SERVER-11192, the __system user is audited as the initiator of DDL operations like createDatabase, dropDatabase, createCollection, dropCollection, createIndex, and dropIndex when those commands are run from a mongos in a sharded environment.

CRUD operations are correctly attributed.

A partial workaround is to use auditAuthorizationSuccess and an auditFilter focusing on DDL operations, on mongos nodes, to obtain authCheck audits from the mongos. But this is not applicable in all cases (ex: implicit collection creation)



 Comments   
Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Forward impersonatedUser/Role information when available

(cherry picked from commit cf4fa7e9e0b5a1b0c358da1c981083b5ec179c30)
Branch: v4.2
https://github.com/mongodb/mongo/commit/50277ed5764080365671339eaee72ff325f46558

Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Ensure the correct user is attributed for DDL ops from mongos

(cherry picked from commit 6fc0bd5c1e426b135c7dadb90b9b27fe2d25e76c)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/828f659e86389fe445664cbf49fbe6af39cd55b7

Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Properly escape regex
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/29c754856f4f89624144456d09a10af597386799

Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Forward impersonatedUser/Role information when available

(cherry picked from commit cf4fa7e9e0b5a1b0c358da1c981083b5ec179c30)
Branch: v4.4
https://github.com/mongodb/mongo/commit/3af9bff5317b63d6276b86b7bd646c0fee0e96b1

Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Ensure the correct user is attributed for DDL ops from mongos

(cherry picked from commit 6fc0bd5c1e426b135c7dadb90b9b27fe2d25e76c)
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/cc0fb3b1e8b1a64e12599b9963aacd982b371bfd

Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Forward impersonatedUser/Role information when available
Branch: master
https://github.com/mongodb/mongo/commit/cf4fa7e9e0b5a1b0c358da1c981083b5ec179c30

Comment by Githook User [ 18/Sep/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-50394 Ensure the correct user is attributed for DDL ops from mongos
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/6fc0bd5c1e426b135c7dadb90b9b27fe2d25e76c

Generated at Thu Feb 08 05:22:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.