diff options
author | Andy Schwerin <schwerin@10gen.com> | 2013-07-17 14:43:10 -0400 |
---|---|---|
committer | Andy Schwerin <schwerin@10gen.com> | 2013-07-17 17:47:36 -0400 |
commit | 0eb227c15841da86dbf9d21e7e593c7659040963 (patch) | |
tree | b65159d2b8f30bf978b6003289a492734cfb69b9 /src/mongo/db/audit.h | |
parent | 752f704bc0fb5c771b74a033364eaa045eda2040 (diff) | |
download | mongo-0eb227c15841da86dbf9d21e7e593c7659040963.tar.gz |
SERVER-1891 Add audit logging hooks for authorization checks in mongod.
Diffstat (limited to 'src/mongo/db/audit.h')
-rw-r--r-- | src/mongo/db/audit.h | 104 |
1 files changed, 99 insertions, 5 deletions
diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h index 6a703e41238..84ed98ca4bc 100644 --- a/src/mongo/db/audit.h +++ b/src/mongo/db/audit.h @@ -14,6 +14,11 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ +/** + * This module describes free functions for logging various operations of interest to a + * party interested in generating logs of user activity in a MongoDB server instance. + */ + #pragma once #include "mongo/base/error_codes.h" @@ -26,12 +31,101 @@ namespace mongo { namespace audit { + // + // Authorization (authz) logging functions. + // + // These functions generate log messages describing the disposition of access control + // checks. + // + + /** + * Logs the result of a command authorization check. + */ + void logCommandAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + const BSONObj& cmdObj, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for an OP_DELETE wire protocol message. + */ + void logDeleteAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + const BSONObj& pattern, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for the "unlock" pseudo-command. + */ + void logFsyncUnlockAuthzCheck( + ClientBasic* client, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for an OP_GET_MORE wire protocol message. + */ + void logGetMoreAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + long long cursorId, + ErrorCodes::Error result); + /** - * Logs the result of an authorization (access control) check. + * Logs the result of an authorization check for an "inprog" pseudo-command. */ - void logCommandAuthzCheck(ClientBasic* client, - const NamespaceString& ns, - const BSONObj& cmdObj, - ErrorCodes::Error result); + void logInProgAuthzCheck( + ClientBasic* client, + const BSONObj& filter, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for an OP_INSERT wire protocol message. + */ + void logInsertAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + const BSONObj& insertedObj, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for an OP_KILL_CURSORS wire protocol message. + */ + void logKillCursorsAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + long long cursorId, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for a "killop" pseudo-command. + */ + void logKillOpAuthzCheck( + ClientBasic* client, + const BSONObj& filter, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for an OP_QUERY wire protocol message. + */ + void logQueryAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + const BSONObj& query, + ErrorCodes::Error result); + + /** + * Logs the result of an authorization check for an OP_UPDATE wire protocol message. + */ + void logUpdateAuthzCheck( + ClientBasic* client, + const NamespaceString& ns, + const BSONObj& query, + const BSONObj& updateObj, + bool isUpsert, + bool isMulti, + ErrorCodes::Error result); + } // namespace audit } // namespace mongo |