[SERVER-71766] Include non-impersonated usernames in command metadata of slow query log Created: 01/Dec/22  Updated: 07/Dec/22

Status: Open
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-71605 Provide option to deduplicate imperso... Open
Assigned Teams:
Server Security
Participants:

 Description   

When an operation is performed on a shard from a mongos, the mongos authenticates to the shard as the internal __system user. When logging the command's metadata, it propagates the actual end user's name and roles in a subdocument called $audit with two fields: $impersonatedUsers and $impersonatedRoles. This field does not appear in slow query logs for operations performed on a mongod from a directly-connected driver authenticated as a regular user.

We should consider logging an operation's user's username in its slow query log even in non-impersonation cases so the information is always available.

 


Generated at Thu Feb 08 06:19:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.