-
Type: Improvement
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Internal Code, Security
-
None
-
Minor Change
-
Security 2021-02-08, Security 2021-02-22
We should consider moving the audit hooks from the User Management Commands to the AuthOpObserver, which would invoke them solely on primaries. When a primary performs a write to these system collections, either as a part of a User Management Command or as part of a CRUD operation, the hook will check whether the generated oplog event implies that an authorization audit event should be recorded. If yes and the current node is a primary, it will invoke the audit hook. Because primaries invoke OpObserves in the catalog layer while clients perform operations, the active OperationContext will contain the client's authentication and authorization state.
- duplicates
-
SERVER-49344 Audit hooks for authorization state changes should be moved to OpObservers
- Closed