summaryrefslogtreecommitdiff
path: root/src/mongo/db/audit.h
diff options
context:
space:
mode:
authorAmalia Hawkins <amalia.hawkins@10gen.com>2014-07-21 13:48:43 -0400
committerAmalia Hawkins <amalia.hawkins@10gen.com>2014-07-21 13:48:43 -0400
commitf2d47ee02a94f56b29e1874aebf8ae4dca222d2e (patch)
treeb00f66aa6b23fa728b08c7a5a23aa7e27fc43145 /src/mongo/db/audit.h
parentfcab456c204a1c5eccfc3d700337cb5bff0621fc (diff)
downloadmongo-f2d47ee02a94f56b29e1874aebf8ae4dca222d2e.tar.gz
SERVER-12512: Add role-based, selective audit logging.
Diffstat (limited to 'src/mongo/db/audit.h')
-rw-r--r--src/mongo/db/audit.h42
1 files changed, 32 insertions, 10 deletions
diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h
index b939966f168..0e6d07cf92a 100644
--- a/src/mongo/db/audit.h
+++ b/src/mongo/db/audit.h
@@ -351,15 +351,16 @@ namespace audit {
bool unique);
- /*
- * Appends an array of user/db pairs to the provided Document.
- * The users are extracted from the current client. They are to be the
- * impersonated users for a Command run by an internal user.
+ /*
+ * Appends an array of user/db pairs and an array of role/db pairs
+ * to the provided Document. The users and roles are extracted from the current client.
+ * They are to be the impersonated users and roles for a Command run by an internal user.
*/
void appendImpersonatedUsers(BSONObjBuilder* cmd);
const char cmdOptionImpersonatedUsers[] = "impersonatedUsers";
+ const char cmdOptionImpersonatedRoles[] = "impersonatedRoles";
- /*
+ /*
* Looks for an 'impersonatedUsers' field. This field is used by mongos to
* transmit the usernames of the currently authenticated user when it runs commands
* on a shard using internal user authentication. Auditing uses this information
@@ -372,11 +373,32 @@ namespace audit {
* authSession [in]: current authorization session
* parsedUserNames [out]: populated with parsed usernames
* fieldIsPresent [out]: true if impersonatedUsers field was present in the object
- */
- void parseAndRemoveImpersonatedUserField(BSONObj cmdObj,
- AuthorizationSession* authSession,
- std::vector<UserName>* parsedUserNames,
- bool* fieldIsPresent);
+ */
+ void parseAndRemoveImpersonatedUsersField(
+ BSONObj cmdObj,
+ AuthorizationSession* authSession,
+ std::vector<UserName>* parsedUserNames,
+ bool* fieldIsPresent);
+
+ /*
+ * Looks for an 'impersonatedRoles' field. This field is used by mongos to
+ * transmit the roles of the currently authenticated user when it runs commands
+ * on a shard using internal user authentication. Auditing uses this information
+ * to properly ascribe user roles to actions. This is necessary only for implicit actions that
+ * mongos cannot properly audit itself; examples are implicit collection and database creation.
+ * This function requires that the field is the last field in the bson object; it edits the
+ * command BSON to efficiently remove the field before returning.
+ *
+ * cmdObj [in, out]: If any impersonated roles field exists, it will be parsed and removed.
+ * authSession [in]: current authorization session
+ * parsedRoleNames [out]: populated with parsed user rolenames
+ * fieldIsPresent [out]: true if impersonatedRoles field was present in the object
+ */
+ void parseAndRemoveImpersonatedRolesField(
+ BSONObj cmdObj,
+ AuthorizationSession* authSession,
+ std::vector<RoleName>* parsedRoleNames,
+ bool* fieldIsPresent);
} // namespace audit
} // namespace mongo