SERVER-1891 Add audit logging hooks for authorization checks in mongod.

1 files changed, 99 insertions, 5 deletions

diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h
index 6a703e41238..84ed98ca4bc 100644
--- a/src/mongo/db/audit.h
+++ b/src/mongo/db/audit.h
@@ -14,6 +14,11 @@
  *    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+/**
+ * This module describes free functions for logging various operations of interest to a
+ * party interested in generating logs of user activity in a MongoDB server instance.
+ */
+
 #pragma once
 
 #include "mongo/base/error_codes.h"
@@ -26,12 +31,101 @@ namespace mongo {
 
 namespace audit {
 
+    //
+    // Authorization (authz) logging functions.
+    //
+    // These functions generate log messages describing the disposition of access control
+    // checks.
+    //
+
+    /**
+     * Logs the result of a command authorization check.
+     */
+    void logCommandAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            const BSONObj& cmdObj,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for an OP_DELETE wire protocol message.
+     */
+    void logDeleteAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            const BSONObj& pattern,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for the "unlock" pseudo-command.
+     */
+    void logFsyncUnlockAuthzCheck(
+            ClientBasic* client,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for an OP_GET_MORE wire protocol message.
+     */
+    void logGetMoreAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            long long cursorId,
+            ErrorCodes::Error result);
+
     /**
-     * Logs the result of an authorization (access control) check.
+     * Logs the result of an authorization check for an "inprog" pseudo-command.
      */
-    void logCommandAuthzCheck(ClientBasic* client,
-                              const NamespaceString& ns,
-                              const BSONObj& cmdObj,
-                              ErrorCodes::Error result);
+    void logInProgAuthzCheck(
+            ClientBasic* client,
+            const BSONObj& filter,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for an OP_INSERT wire protocol message.
+     */
+    void logInsertAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            const BSONObj& insertedObj,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for an OP_KILL_CURSORS wire protocol message.
+     */
+    void logKillCursorsAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            long long cursorId,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for a "killop" pseudo-command.
+     */
+    void logKillOpAuthzCheck(
+            ClientBasic* client,
+            const BSONObj& filter,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for an OP_QUERY wire protocol message.
+     */
+    void logQueryAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            const BSONObj& query,
+            ErrorCodes::Error result);
+
+    /**
+     * Logs the result of an authorization check for an OP_UPDATE wire protocol message.
+     */
+    void logUpdateAuthzCheck(
+            ClientBasic* client,
+            const NamespaceString& ns,
+            const BSONObj& query,
+            const BSONObj& updateObj,
+            bool isUpsert,
+            bool isMulti,
+            ErrorCodes::Error result);
+
 }  // namespace audit
 }  // namespace mongo