diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2020-08-18 19:03:50 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-10-23 01:48:39 +0000 |
commit | 1d59792abdd3242fdcf28bea23d743a999824066 (patch) | |
tree | 9a45b29a2f331d75d0c1cc7beba8613577100963 | |
parent | 6fe78a092be6b3a87ec9a91693c7dc77bd45fe5e (diff) | |
download | mongo-1d59792abdd3242fdcf28bea23d743a999824066.tar.gz |
SERVER-49165 Limit auditing authz failure in endSessions command
(cherry picked from commit 680eb5a61bc123d021a75b5ec5a997409ec0d36d)
-rw-r--r-- | src/mongo/db/commands.cpp | 15 | ||||
-rw-r--r-- | src/mongo/db/commands.h | 7 | ||||
-rw-r--r-- | src/mongo/db/commands/end_sessions_command.cpp | 8 |
3 files changed, 28 insertions, 2 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index 95d07b619cc..82d68fc21d3 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -203,7 +203,16 @@ void CommandHelpers::auditLogAuthEvent(OperationContext* opCtx, }; NamespaceString nss = invocation ? invocation->ns() : NamespaceString(request.getDatabase()); - audit::logCommandAuthzCheck(opCtx->getClient(), request, Hook(invocation, &nss), err); + + // Always audit errors other than Unauthorized. + // + // When we get Unauthorized (usually), + // then only audit if our Command definition wants it (default), + // or if we don't know our Command definition. + if ((err != ErrorCodes::Unauthorized) || !invocation || + invocation->definition()->auditAuthorizationFailure()) { + audit::logCommandAuthzCheck(opCtx->getClient(), request, Hook(invocation, &nss), err); + } } void CommandHelpers::uassertNoDocumentSequences(StringData commandName, @@ -425,7 +434,9 @@ bool CommandHelpers::uassertShouldAttemptParse(OperationContext* opCtx, try { return checkAuthorizationImplPreParse(opCtx, command, request); } catch (const ExceptionFor<ErrorCodes::Unauthorized>& e) { - CommandHelpers::auditLogAuthEvent(opCtx, nullptr, request, e.code()); + if (command->auditAuthorizationFailure()) { + CommandHelpers::auditLogAuthEvent(opCtx, nullptr, request, e.code()); + } throw; } } diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h index 8b2d8e33b0f..f91382be5c4 100644 --- a/src/mongo/db/commands.h +++ b/src/mongo/db/commands.h @@ -425,6 +425,13 @@ public: */ bool hasAlias(const StringData& alias) const; + /** + * Audit when this command fails authz check. + */ + virtual bool auditAuthorizationFailure() const { + return true; + } + private: // The full name of the command const std::string _name; diff --git a/src/mongo/db/commands/end_sessions_command.cpp b/src/mongo/db/commands/end_sessions_command.cpp index 15c19f907d8..e13c6eb73b1 100644 --- a/src/mongo/db/commands/end_sessions_command.cpp +++ b/src/mongo/db/commands/end_sessions_command.cpp @@ -92,6 +92,14 @@ public: return true; } + /** + * Drivers may implicitly call {endSessions:...} for unauthenticated clients. + * Don't bother auditing when this happens. + */ + bool auditAuthorizationFailure() const final { + return false; + } + } endSessionsCommand; } // namespace |