[SERVER-54524] Extend Authorization Session to record all access checks and privilege checks. Created: 12/Feb/21  Updated: 29/Oct/23  Resolved: 22/Mar/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: Security 2021-03-22
Participants:

 Description   
  • Add method to method to verify contract. Call verification method after commands finish running in server_entry_point_common.cpp.
  • Can not just do it after priv check since listDatabases (and likely others) check during run(). Ensure sync and async commands are hooked.
  • Add AuthorizationContract as a member variable that is reset on AuthorizationSession::startRequest
  • Instrument each public member with call to record privilege or access check
  • Add private member functions that store access_check/priv after check of testingProctor - split function so it can be inlined for perf with fast and slow paths

Auth C++ Unit Tests in authorization_session_test.cpp

  • Positive: Make a correct set of calls on Authorization_Session and verify it passes against a contract
  • Negative: Make a incorrect set of calls on Authorization_Session and verify it fails against a contract


 Comments   
Comment by Githook User [ 22/Mar/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-54524 Extend Authorization Session to record all access checks and privilege checks.
Branch: master
https://github.com/mongodb/mongo/commit/68dbfa5edbb55fec190e508607cf2276367f4f93

Generated at Thu Feb 08 05:33:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.