[SERVER-76883] Reduce chattiness of "Role does not exist" logs for externally sourced users Created: 05/May/23  Updated: 25/Oct/23

Status: Open
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Assigned Teams:
Server Security
Backport Requested:
v6.0
Sprint: Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04
Participants:
Case:

 Description   

The server emits an INFO-level log when it is unable to find a role document for a role name that it has resolved. For internally-managed users, this is an unexpected scenario and warrants an info or warning-level log. For users using LDAP authorization, this is expected to occur as many of these users will have LDAP groups that do not directly map to MongoDB roles.

When the server refreshes cached LDAP users out-of-band, it performs numerous LDAP queries regularly and resolves them to MongoDB roles. As a result, this log becomes very noisy.

We should consider emitting this log as a warning for internally-authorized users only. For externally-authorized users, we can keep this log with higher debug verbosity so that it can be suppressed. LDAP users only need a warning log if none of their member groups can be mapped to MongoDB role documents. 


Generated at Thu Feb 08 06:33:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.