[SERVER-54260] Ensure that DDL operations are only audited on Primaries Created: 03/Feb/21 Updated: 29/Oct/23 Resolved: 02/Mar/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin, Security, Storage |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Varun Ravichandran |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Sprint: | Security 2021-02-22, Security 2021-03-08 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
DDL operations are currently audited on primaries and secondaries. Unfortunately, the audit hooks for these operations are buried in the execution machinery which is invoked during parallel batch application. This means that synchronous file writes, to the log file, are performed in the critical path of oplog application, potentially impairing the node's ability to keep up with its primary. We should prevent secondaries from emitting DDL audit events for replicated changes.
Note that we must still record DDL events for local, non-replicated changes. These are DDL operations on the local database, and any collection named system.profile. |
| Comments |
| Comment by Githook User [ 01/Mar/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |
| Comment by Githook User [ 01/Mar/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |