diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2020-08-18 19:03:50 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-08-25 17:57:05 +0000 |
commit | 680eb5a61bc123d021a75b5ec5a997409ec0d36d (patch) | |
tree | 28f4cdc32dc7f164dfecf0c89965536f631d49e5 /src/mongo/db/commands.cpp | |
parent | a03683171f2ef6d33cf3c9db9b6b6fe9041d147c (diff) | |
download | mongo-680eb5a61bc123d021a75b5ec5a997409ec0d36d.tar.gz |
SERVER-49165 Limit auditing authz failure in endSessions command
Diffstat (limited to 'src/mongo/db/commands.cpp')
-rw-r--r-- | src/mongo/db/commands.cpp | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index 7fcbd220b6d..0b890f90df6 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -227,7 +227,16 @@ void CommandHelpers::auditLogAuthEvent(OperationContext* opCtx, }; NamespaceString nss = invocation ? invocation->ns() : NamespaceString(request.getDatabase()); - audit::logCommandAuthzCheck(opCtx->getClient(), request, Hook(invocation, &nss), err); + + // Always audit errors other than Unauthorized. + // + // When we get Unauthorized (usually), + // then only audit if our Command definition wants it (default), + // or if we don't know our Command definition. + if ((err != ErrorCodes::Unauthorized) || !invocation || + invocation->definition()->auditAuthorizationFailure()) { + audit::logCommandAuthzCheck(opCtx->getClient(), request, Hook(invocation, &nss), err); + } } void CommandHelpers::uassertNoDocumentSequences(StringData commandName, @@ -488,7 +497,9 @@ bool CommandHelpers::uassertShouldAttemptParse(OperationContext* opCtx, try { return checkAuthorizationImplPreParse(opCtx, command, request); } catch (const ExceptionFor<ErrorCodes::Unauthorized>& e) { - CommandHelpers::auditLogAuthEvent(opCtx, nullptr, request, e.code()); + if (command->auditAuthorizationFailure()) { + CommandHelpers::auditLogAuthEvent(opCtx, nullptr, request, e.code()); + } throw; } } |