[SERVER-65777] "revokePrivilegesFromRole" param.ns missing user object in audit log Created: 14/Apr/22  Updated: 29/Oct/23  Resolved: 16/May/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0.0-rc7, 5.0.10, 6.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Jack Park Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB shell version v5.0.3


Attachments: PNG File diff.png    
Issue Links:
Backports
Backwards Compatibility: Minor Change
Backport Requested:
v6.0, v5.0
Sprint: Security 2022-05-16
Participants:

 Description   

Problem Statement/Rationale

When revoking a previlege from a role (aka. revokePrivilegesFromRole), the corresponding audit logs (1 with atype: authCheck, and 1 with atype: revokePrivilegesFromRole) should have include both the database and the role name in param.ns.

 

Steps to Reproduce

  1. Revoke a previlege from a role.
  2. Check the audit log that was produced.

Expected Results

It should produce a log that resembles this: 

  • param.ns should have BOTH the db and the role.

    { "atype" : "authCheck", "ts" : { "$date" : "2022-04-14T21:00:01.873+00:00" }, "uuid" : { "$binary" : "isi10Tt7SjuEmUTyiOW2Wg==", "$type" : "04" }, "local" : { "ip" : "172.31.80.31", "port" : 27017 }, "remote" : { "ip" : "172.31.64.227", "port" : 57258 }, "users" : [ { "user" : "jackAdmin", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" } ], "param" : { "command" : "revokePrivilegesFromRole", "ns" : "tlcdb.tester", "args" : { "revokePrivilegesFromRole" : "tester", "privileges" : [ { "resource" : { "db" : "tlcdb", "collection" : "testcoll" }, "actions" : [ "find" ] } ], "writeConcern" : { "w" : "majority", "wtimeout" : 600000 }, "lsid" : { "id" : { "$binary" : "rJAp+YHMTH2gQZOI7Xrppw==", "$type" : "04" } }, "$db" : "tlcdb" } }, "result" : 0 }

    Actual Results

It produces the following log:

* param.ns only has the db name. It is missing the role that should come after the period.

{ "atype" : "authCheck", "ts" : { "$date" : "2022-04-14T21:00:01.873+00:00" }, "uuid" : { "$binary" : "isi10Tt7SjuEmUTyiOW2Wg==", "$type" : "04" }, "local" : { "ip" : "172.31.80.31", "port" : 27017 }, "remote" : { "ip" : "172.31.64.227", "port" : 57258 }, "users" : [ { "user" : "jackAdmin", "db" : "admin" } ], "roles" : [ { "role" : "root", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" } ], "param" : { "command" : "revokePrivilegesFromRole", "ns" : "tlcdb.", "args" : { "revokePrivilegesFromRole" : "tester", "privileges" : [ { "resource" : { "db" : "tlcdb", "collection" : "testcoll" }, "actions" : [ "find" ] } ], "writeConcern" : { "w" : "majority", "wtimeout" : 600000 }, "lsid" : { "id" : { "$binary" : "rJAp+YHMTH2gQZOI7Xrppw==", "$type" : "04" } }, "$db" : "tlcdb" } }, "result" : 0 }

 

Additional Notes

Any additional information that may be useful to include.



 Comments   
Comment by Githook User [ 20/May/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-65777 Fix ns emitted for UMC commands

(cherry picked from commit 925e00657a22b368e75504b40ba3ea91c7de3396)
Branch: v5.0
https://github.com/mongodb/mongo/commit/0c760babbaf661d13fb2d1838f46fb70753d681c

Comment by Githook User [ 20/May/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-65777 Test audited 'ns' field in authCheck entries

(cherry picked from commit 787fbfa9b4964e710a1091bf54a6673d1aa8dd0e)
Branch: v5.0
https://github.com/10gen/mongo-enterprise-modules/commit/603df5a0ff23d64e45e979a63f2ead2f379fee1c

Comment by Githook User [ 19/May/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-65777 Fix ns emitted for UMC commands

(cherry picked from commit 925e00657a22b368e75504b40ba3ea91c7de3396)
Branch: v6.0
https://github.com/mongodb/mongo/commit/783b48a1d1b342b5fc9e7eade536c6f12c1f50dd

Comment by Githook User [ 19/May/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-65777 Test audited 'ns' field in authCheck entries

(cherry picked from commit 787fbfa9b4964e710a1091bf54a6673d1aa8dd0e)
Branch: v6.0
https://github.com/10gen/mongo-enterprise-modules/commit/f54f1d05f42832d9747c4a03daa699915cb354cc

Comment by Githook User [ 16/May/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-65777 Fix ns emitted for UMC commands
Branch: master
https://github.com/mongodb/mongo/commit/925e00657a22b368e75504b40ba3ea91c7de3396

Comment by Githook User [ 16/May/22 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-65777 Test audited 'ns' field in authCheck entries
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/787fbfa9b4964e710a1091bf54a6673d1aa8dd0e

Comment by Sara Golemon [ 10/May/22 ]

Thanks for the report. Definitely a regression (impacting more than just this command), and a fix is on the way for v5.0, v6.0, and master.

Comment by Chris Kelly [ 02/May/22 ]

Hi Jack,

I was able to replicate your issue on MongoDB 5.0.3 Enterprise running a single mongod with authentication enabled, and the following set to show successful authChecks:

db.adminCommand( { setParameter: 1, auditAuthorizationSuccess: true } )

I was able to see the missing role, and the extraneous period added to the param->ns value. In my case, I removed a privilege and got this output (similar to yours):

{ "atype" : "authCheck", "ts" : { "$date" : "2022-05-02T20:44:56.894+00:00" }, "uuid" : { "$binary" : "52ifWvQDRPGKVvMAWOg9gw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38646 }, "users" : [ { "user" : "user", "db" : "admin" } ], "roles" : [ { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" } ], "param" : { "command" : "revokePrivilegesFromRole", "ns" : "admin.", "args" : { "revokePrivilegesFromRole" : "testRole2", "privileges" : [ { "resource" : { "db" : "test", "collection" : "testCollection" }, "actions" : [ "update" ] } ], "writeConcern" : { "w" : "majority", "wtimeout" : 600000 }, "lsid" : { "id" : { "$binary" : "jYy3ET+gSqy6fdTSbS9Wgw==", "$type" : "04" } }, "$db" : "admin" } }, "result" : 0 }

Interestingly however, I do not observe this behavior on MongoDB 4.4.8 Enterprise:

{ "atype" : "authCheck", "ts" : { "$date" : "2022-05-02T20:57:29.250+00:00" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38722 }, "users" : [ { "user" : "user", "db" : "admin" } ], "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" } ], "param" : { "command" : "revokePrivilegesFromRole", "ns" : "admin.testRole2", "args" : { "revokePrivilegesFromRole" : "testRole2", "privileges" : [ { "resource" : { "db" : "test", "collection" : "testCollection" }, "actions" : [ "update" ] } ], "writeConcern" : { "w" : "majority", "wtimeout" : 600000 }, "lsid" : { "id" : { "$binary" : "8CbeOZ3sRbm8kT03dPSKbA==", "$type" : "04" } }, "$db" : "admin" } }, "result" : 0 }

As such, it's pretty safe to say this is supposed to be displaying both the db and role in param.ns. This was a pretty good find - I will move this to the security team for next steps.

In the meantime, it may be appropriate to try and glean this information from other parts of the audit line. Even though it does not show the db.role pair in param.ns, you can at least still see the affected db and role nearby in the same line, so I don't think you'll have a blind spot at the moment. Specifically, for the role you should be able to refer to args.revokePrivilegesFromRole for now. Thank you for your report!

Regards,
Christopher

Generated at Thu Feb 08 06:03:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.