diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2020-08-18 19:03:50 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-10-23 14:26:47 +0000 |
commit | 9fde818493f545b6cacb5603ee0d1ab3a47d5a68 (patch) | |
tree | d0811420580a3ca2e1aa2acf347469c60fc82d2b | |
parent | cc9003ec7e6608b558f90a7cd68898f115d2d93a (diff) | |
download | mongo-9fde818493f545b6cacb5603ee0d1ab3a47d5a68.tar.gz |
SERVER-49165 Limit auditing authz failure in endSessions command
(cherry picked from commit 680eb5a61bc123d021a75b5ec5a997409ec0d36d)
-rw-r--r-- | src/mongo/db/commands.cpp | 15 | ||||
-rw-r--r-- | src/mongo/db/commands.h | 7 | ||||
-rw-r--r-- | src/mongo/db/commands/end_sessions_command.cpp | 8 |
3 files changed, 28 insertions, 2 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index 5ba3eb11db1..49145dab2c2 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -183,7 +183,16 @@ void CommandHelpers::auditLogAuthEvent(OperationContext* opCtx, }; NamespaceString nss = invocation ? invocation->ns() : NamespaceString(request.getDatabase()); - audit::logCommandAuthzCheck(opCtx->getClient(), request, Hook(invocation, &nss), err); + + // Always audit errors other than Unauthorized. + // + // When we get Unauthorized (usually), + // then only audit if our Command definition wants it (default), + // or if we don't know our Command definition. + if ((err != ErrorCodes::Unauthorized) || !invocation || + invocation->definition()->auditAuthorizationFailure()) { + audit::logCommandAuthzCheck(opCtx->getClient(), request, Hook(invocation, &nss), err); + } } void CommandHelpers::uassertNoDocumentSequences(StringData commandName, @@ -405,7 +414,9 @@ bool CommandHelpers::uassertShouldAttemptParse(OperationContext* opCtx, try { return checkAuthorizationImplPreParse(opCtx, command, request); } catch (const ExceptionFor<ErrorCodes::Unauthorized>& e) { - CommandHelpers::auditLogAuthEvent(opCtx, nullptr, request, e.code()); + if (command->auditAuthorizationFailure()) { + CommandHelpers::auditLogAuthEvent(opCtx, nullptr, request, e.code()); + } throw; } } diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h index bade5650496..55cf476821d 100644 --- a/src/mongo/db/commands.h +++ b/src/mongo/db/commands.h @@ -420,6 +420,13 @@ public: */ bool hasAlias(const StringData& alias) const; + /** + * Audit when this command fails authz check. + */ + virtual bool auditAuthorizationFailure() const { + return true; + } + private: // The full name of the command const std::string _name; diff --git a/src/mongo/db/commands/end_sessions_command.cpp b/src/mongo/db/commands/end_sessions_command.cpp index 9d67e6aadb3..04c829dd342 100644 --- a/src/mongo/db/commands/end_sessions_command.cpp +++ b/src/mongo/db/commands/end_sessions_command.cpp @@ -87,6 +87,14 @@ public: return true; } + /** + * Drivers may implicitly call {endSessions:...} for unauthenticated clients. + * Don't bother auditing when this happens. + */ + bool auditAuthorizationFailure() const final { + return false; + } + } endSessionsCommand; } // namespace |