The authCheck docs say "Client tried to perform the given operation, and was allowed/denied. Happens before any actions of the command, for purposes of the auditing guarantee. (only access denied for 2.6?)"
Discussions with live engineers suggests that, indeed, only denied operations should be audit-logged. (Audit-logging every successful operation would amount to logging every database access of any kind, which would be prohibitive.)
The code does this: denied operations are audit-logged, allowed ones are not.
The documentation should reflect this decision with confidence and pride.
- is related to
-
SERVER-11380 authCheck action gives wrong or no audit message
-
- Closed
-