Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11380

authCheck action gives wrong or no audit message

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • ALL

      The spec for auditing authCheck says that the message will be one of the
      following: 

      Access granted for <command/args> [on <ns>]. 
Access denied for <command/args> [on <ns>].

      For DENIED access, we have the minor problem that the "on <ns>" and "for <command>" are reversed in the log file. (The exotic characters in database and collection name are being used to check wide-character support.)

                  2013-10-25T13:01:20.861-0400 user2@db1 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Access denied on dbЖ7.cӜ8 for { insert: "cӜ8", documents: [ { _id: ObjectId('526aa3e068ead9114ea98ade'), field: true, feild: false, feeld: false, fiild: false } ] }.

      For GRANTED access, we have the larger problem that no message is logged at
      all. Here's the full set of logging messages for this test case. 

                  2013-10-25T13:01:20.865-0400 admin@admin 127.0.0.1:59095/127.0.0.1:27017 000000000000000000000000.0 Created user userאب12@dbא10 with password without customData, with the following roles: readWrite@dbא10.
            2013-10-25T13:01:20.866-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Authentication succeeded for userאب12@dbא10 using mechanism MONGODB-CR.
            2013-10-25T13:01:20.867-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.cب11.
            2013-10-25T13:01:20.882-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.system.namespaces.
            2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created collection dbא10.system.indexes.
            2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created index _id_ on dbא10.cب11 as 0x7f96c4c475b0.
            2013-10-25T13:01:20.898-0400 user2@db1,userאب12@dbא10 127.0.0.1:59094/127.0.0.1:27017 000000000000000000000000.0 Created database dbא10.

      The actions being run here are:
      1. Create a user user12 on a new database db10
      2. Log in as user12
      3. Insert a record.

      In the audit log, we see the user creation (1), the login (2), and the various
      creations that come from making a new collection in a new database. But no
      "Access granted" message.

            Assignee:
            matt.dannenberg Matt Dannenberg
            Reporter:
            bard.bloom@10gen.com bard.bloom@10gen.com
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: