diff options
author | Ben Caimano <ben.caimano@10gen.com> | 2021-04-07 21:50:17 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-04-07 22:10:00 +0000 |
commit | cb453c32c5f4b8346de391d248aed60d9c86bd0e (patch) | |
tree | 8a5b0decfc6d08605bdac6e82f2e8b136479299a /src/mongo/db/auth | |
parent | 469b1101cea8cf0c5b34437cdeb391b7002f7d19 (diff) | |
download | mongo-cb453c32c5f4b8346de391d248aed60d9c86bd0e.tar.gz |
SERVER-53604 Convey both id and full arn to authenticate audit events
Diffstat (limited to 'src/mongo/db/auth')
-rw-r--r-- | src/mongo/db/auth/sasl_commands.cpp | 71 | ||||
-rw-r--r-- | src/mongo/db/auth/sasl_mechanism_registry.h | 7 |
2 files changed, 52 insertions, 26 deletions
diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp index 3e2b9e26f42..0c68225a6ee 100644 --- a/src/mongo/db/auth/sasl_commands.cpp +++ b/src/mongo/db/auth/sasl_commands.cpp @@ -53,6 +53,7 @@ #include "mongo/db/commands/authentication_commands.h" #include "mongo/db/server_options.h" #include "mongo/db/stats/counters.h" +#include "mongo/logv2/attribute_storage.h" #include "mongo/logv2/log.h" #include "mongo/util/base64.h" #include "mongo/util/sequence_util.h" @@ -186,17 +187,27 @@ Status doSaslStep(OperationContext* opCtx, // Passing in a payload and extracting a responsePayload StatusWith<std::string> swResponse = mechanism.step(opCtx, payload); + auto makeLogAttributes = [&]() { + logv2::DynamicAttributes attrs; + attrs.add("mechanism", mechanism.mechanismName()); + attrs.add("speculative", session->isSpeculative()); + attrs.add("principalName", mechanism.getPrincipalName()); + attrs.add("authenticationDatabase", mechanism.getAuthenticationDatabase()); + attrs.addDeepCopy("remote", opCtx->getClient()->getRemote().toString()); + { + auto bob = BSONObjBuilder(); + mechanism.appendExtraInfo(&bob); + attrs.add("extraInfo", bob.obj()); + } + + return attrs; + }; + if (!swResponse.isOK()) { - LOGV2(20249, - "SASL {mechanism} authentication failed for " - "{principalName} on {authenticationDatabase} from client " - "{client} ; {result}", - "Authentication failed", - "mechanism"_attr = mechanism.mechanismName(), - "principalName"_attr = mechanism.getPrincipalName(), - "authenticationDatabase"_attr = mechanism.getAuthenticationDatabase(), - "client"_attr = opCtx->getClient()->getRemote().toString(), - "result"_attr = redact(swResponse.getStatus())); + auto attrs = makeLogAttributes(); + auto errorString = redact(swResponse.getStatus()); + attrs.add("error", errorString); + LOGV2(20249, "Authentication failed", attrs); sleepmillis(saslGlobalParams.authFailedDelay.load()); // All the client needs to know is that authentication has failed. @@ -217,14 +228,8 @@ Status doSaslStep(OperationContext* opCtx, } if (!serverGlobalParams.quiet.load()) { - LOGV2(20250, - "Successfully authenticated as principal {principalName} on " - "{authenticationDatabase} from client {client} with mechanism {mechanism}", - "Successful authentication", - "mechanism"_attr = mechanism.mechanismName(), - "principalName"_attr = mechanism.getPrincipalName(), - "authenticationDatabase"_attr = mechanism.getAuthenticationDatabase(), - "client"_attr = opCtx->getClient()->session()->remote()); + auto attrs = makeLogAttributes(); + LOGV2(20250, "Authentication succeeded", attrs); } if (session->isSpeculative()) { status = authCounter.incSpeculativeAuthenticateSuccessful( @@ -322,7 +327,9 @@ bool runSaslStart(OperationContext* opCtx, auto status = authCounter.incAuthenticateReceived(mechanismName); if (!status.isOK()) { - audit::logAuthentication(client, mechanismName, UserName("", db), status.code()); + auto event = audit::AuthenticateEvent( + mechanismName, db, ""_sd, [&](BSONObjBuilder*) {}, status.code()); + audit::logAuthentication(client, event); uassertStatusOK(status); MONGO_UNREACHABLE; } @@ -331,8 +338,18 @@ bool runSaslStart(OperationContext* opCtx, auto swSession = doSaslStart(opCtx, db, cmdObj, &result, &principalName, speculative); if (!swSession.isOK() || swSession.getValue()->getMechanism().isSuccess()) { - audit::logAuthentication( - client, mechanismName, UserName(principalName, db), swSession.getStatus().code()); + auto event = audit::AuthenticateEvent( + mechanismName, + db, + principalName, + [&](BSONObjBuilder* bob) { + if (swSession.isOK()) { + swSession.getValue()->getMechanism().appendExtraInfo(bob); + } + }, + swSession.getStatus().code()); + audit::logAuthentication(client, event); + uassertStatusOK(swSession.getStatus()); if (swSession.getValue()->getMechanism().isSuccess()) { uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanismName)); @@ -393,11 +410,13 @@ bool CmdSaslContinue::run(OperationContext* opCtx, CommandHelpers::appendCommandStatusNoThrow(result, status); if (mechanism.isSuccess() || !status.isOK()) { - audit::logAuthentication( - client, - mechanism.mechanismName(), - UserName(mechanism.getPrincipalName(), mechanism.getAuthenticationDatabase()), - status.code()); + auto event = + audit::AuthenticateEvent(mechanism.mechanismName(), + mechanism.getAuthenticationDatabase(), + mechanism.getPrincipalName(), + [&](BSONObjBuilder* bob) { mechanism.appendExtraInfo(bob); }, + status.code()); + audit::logAuthentication(client, event); if (mechanism.isSuccess()) { uassertStatusOK( authCounter.incAuthenticateSuccessful(mechanism.mechanismName().toString())); diff --git a/src/mongo/db/auth/sasl_mechanism_registry.h b/src/mongo/db/auth/sasl_mechanism_registry.h index 98f2d8ddae9..747436928e4 100644 --- a/src/mongo/db/auth/sasl_mechanism_registry.h +++ b/src/mongo/db/auth/sasl_mechanism_registry.h @@ -43,6 +43,7 @@ namespace mongo { class User; +class BSONObjBuilder; /** * The set of attributes SASL mechanisms may possess. @@ -145,6 +146,12 @@ public: } /** + * Appends mechanism specific info in BSON form. The schema of this BSON will vary by mechanism + * implementation, thus this info is entirely diagnostic/for records. + */ + virtual void appendExtraInfo(BSONObjBuilder*) const {} + + /** * Standard method in mongodb for determining if "authenticatedUser" may act as "requestedUser." * * The standard rule in MongoDB is simple. The authenticated user name must be the same as the |