diff options
author | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-07-21 13:48:43 -0400 |
---|---|---|
committer | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-07-21 13:48:43 -0400 |
commit | f2d47ee02a94f56b29e1874aebf8ae4dca222d2e (patch) | |
tree | b00f66aa6b23fa728b08c7a5a23aa7e27fc43145 /src/mongo/db/audit.h | |
parent | fcab456c204a1c5eccfc3d700337cb5bff0621fc (diff) | |
download | mongo-f2d47ee02a94f56b29e1874aebf8ae4dca222d2e.tar.gz |
SERVER-12512: Add role-based, selective audit logging.
Diffstat (limited to 'src/mongo/db/audit.h')
-rw-r--r-- | src/mongo/db/audit.h | 42 |
1 files changed, 32 insertions, 10 deletions
diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h index b939966f168..0e6d07cf92a 100644 --- a/src/mongo/db/audit.h +++ b/src/mongo/db/audit.h @@ -351,15 +351,16 @@ namespace audit { bool unique); - /* - * Appends an array of user/db pairs to the provided Document. - * The users are extracted from the current client. They are to be the - * impersonated users for a Command run by an internal user. + /* + * Appends an array of user/db pairs and an array of role/db pairs + * to the provided Document. The users and roles are extracted from the current client. + * They are to be the impersonated users and roles for a Command run by an internal user. */ void appendImpersonatedUsers(BSONObjBuilder* cmd); const char cmdOptionImpersonatedUsers[] = "impersonatedUsers"; + const char cmdOptionImpersonatedRoles[] = "impersonatedRoles"; - /* + /* * Looks for an 'impersonatedUsers' field. This field is used by mongos to * transmit the usernames of the currently authenticated user when it runs commands * on a shard using internal user authentication. Auditing uses this information @@ -372,11 +373,32 @@ namespace audit { * authSession [in]: current authorization session * parsedUserNames [out]: populated with parsed usernames * fieldIsPresent [out]: true if impersonatedUsers field was present in the object - */ - void parseAndRemoveImpersonatedUserField(BSONObj cmdObj, - AuthorizationSession* authSession, - std::vector<UserName>* parsedUserNames, - bool* fieldIsPresent); + */ + void parseAndRemoveImpersonatedUsersField( + BSONObj cmdObj, + AuthorizationSession* authSession, + std::vector<UserName>* parsedUserNames, + bool* fieldIsPresent); + + /* + * Looks for an 'impersonatedRoles' field. This field is used by mongos to + * transmit the roles of the currently authenticated user when it runs commands + * on a shard using internal user authentication. Auditing uses this information + * to properly ascribe user roles to actions. This is necessary only for implicit actions that + * mongos cannot properly audit itself; examples are implicit collection and database creation. + * This function requires that the field is the last field in the bson object; it edits the + * command BSON to efficiently remove the field before returning. + * + * cmdObj [in, out]: If any impersonated roles field exists, it will be parsed and removed. + * authSession [in]: current authorization session + * parsedRoleNames [out]: populated with parsed user rolenames + * fieldIsPresent [out]: true if impersonatedRoles field was present in the object + */ + void parseAndRemoveImpersonatedRolesField( + BSONObj cmdObj, + AuthorizationSession* authSession, + std::vector<RoleName>* parsedRoleNames, + bool* fieldIsPresent); } // namespace audit } // namespace mongo |