[SERVER-71766] Include non-impersonated usernames in command metadata of slow query log Created: 01/Dec/22 Updated: 07/Dec/22 |
|
| Status: | Open |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Varun Ravichandran | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Server Security
|
||||||||
| Participants: | |||||||||
| Description |
|
When an operation is performed on a shard from a mongos, the mongos authenticates to the shard as the internal __system user. When logging the command's metadata, it propagates the actual end user's name and roles in a subdocument called $audit with two fields: $impersonatedUsers and $impersonatedRoles. This field does not appear in slow query logs for operations performed on a mongod from a directly-connected driver authenticated as a regular user. We should consider logging an operation's user's username in its slow query log even in non-impersonation cases so the information is always available.
|