[SERVER-71605] Provide option to deduplicate impersonated user and role information Created: 24/Nov/22  Updated: 07/Dec/22

Status: Open
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-71766 Include non-impersonated usernames in... Open
Assigned Teams:
Server Security
Participants:

 Description   

Today, impersonated user information is included on slow query logs inside of the $audit object. It is present whenever a server is performing a request proxied by another server authenticated as the __system user. This includes both the impersonated username and its roles, which can be arbitrarily large. In at least one case, this has caused very large logs since the impersonated user had many roles sourced from LDAP group membership, eventually causing the log file to become too large.

To mitigate this, we can consider introducing some kind of option to either filter impersonated users/roles entirely from the logs or deduplicate just the roles from the usernames.


Generated at Thu Feb 08 06:19:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.