[SERVER-65777] "revokePrivilegesFromRole" param.ns missing user object in audit log Created: 14/Apr/22 Updated: 29/Oct/23 Resolved: 16/May/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 6.0.0-rc7, 5.0.10, 6.1.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Jack Park | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
MongoDB shell version v5.0.3 |
||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Backwards Compatibility: | Minor Change | ||||
| Backport Requested: |
v6.0, v5.0
|
||||
| Sprint: | Security 2022-05-16 | ||||
| Participants: | |||||
| Description |
| Comments |
| Comment by Githook User [ 20/May/22 ] | |||
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 925e00657a22b368e75504b40ba3ea91c7de3396) | |||
| Comment by Githook User [ 20/May/22 ] | |||
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 787fbfa9b4964e710a1091bf54a6673d1aa8dd0e) | |||
| Comment by Githook User [ 19/May/22 ] | |||
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 925e00657a22b368e75504b40ba3ea91c7de3396) | |||
| Comment by Githook User [ 19/May/22 ] | |||
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 787fbfa9b4964e710a1091bf54a6673d1aa8dd0e) | |||
| Comment by Githook User [ 16/May/22 ] | |||
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: | |||
| Comment by Githook User [ 16/May/22 ] | |||
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: | |||
| Comment by Sara Golemon [ 10/May/22 ] | |||
|
Thanks for the report. Definitely a regression (impacting more than just this command), and a fix is on the way for v5.0, v6.0, and master. | |||
| Comment by Chris Kelly [ 02/May/22 ] | |||
|
Hi Jack, I was able to replicate your issue on MongoDB 5.0.3 Enterprise running a single mongod with authentication enabled, and the following set to show successful authChecks:
I was able to see the missing role, and the extraneous period added to the param->ns value. In my case, I removed a privilege and got this output (similar to yours):
Interestingly however, I do not observe this behavior on MongoDB 4.4.8 Enterprise:
As such, it's pretty safe to say this is supposed to be displaying both the db and role in param.ns. This was a pretty good find - I will move this to the security team for next steps. In the meantime, it may be appropriate to try and glean this information from other parts of the audit line. Even though it does not show the db.role pair in param.ns, you can at least still see the affected db and role nearby in the same line, so I don't think you'll have a blind spot at the moment. Specifically, for the role you should be able to refer to args.revokePrivilegesFromRole for now. Thank you for your report! Regards, |