summaryrefslogtreecommitdiff
path: root/src/mongo/db/audit.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/mongo/db/audit.h')
-rw-r--r--src/mongo/db/audit.h623
1 files changed, 297 insertions, 326 deletions
diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h
index fa8604871f5..4dc187da2b1 100644
--- a/src/mongo/db/audit.h
+++ b/src/mongo/db/audit.h
@@ -39,335 +39,306 @@
namespace mongo {
- class AuthorizationSession;
- class BSONObj;
- class ClientBasic;
- class Command;
- class NamespaceString;
- class ReplSetConfig;
- class StringData;
- class UserName;
+class AuthorizationSession;
+class BSONObj;
+class ClientBasic;
+class Command;
+class NamespaceString;
+class ReplSetConfig;
+class StringData;
+class UserName;
namespace audit {
- /**
- * Logs the result of an authentication attempt.
- */
- void logAuthentication(ClientBasic* client,
- StringData mechanism,
- const UserName& user,
- ErrorCodes::Error result);
-
- //
- // Authorization (authz) logging functions.
- //
- // These functions generate log messages describing the disposition of access control
- // checks.
- //
-
- /**
- * Logs the result of a command authorization check.
- */
- void logCommandAuthzCheck(
- ClientBasic* client,
- const std::string& dbname,
- const BSONObj& cmdObj,
- Command* command,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of an authorization check for an OP_DELETE wire protocol message.
- */
- void logDeleteAuthzCheck(
- ClientBasic* client,
- const NamespaceString& ns,
- const BSONObj& pattern,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of an authorization check for an OP_GET_MORE wire protocol message.
- */
- void logGetMoreAuthzCheck(
- ClientBasic* client,
- const NamespaceString& ns,
- long long cursorId,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of an authorization check for an OP_INSERT wire protocol message.
- */
- void logInsertAuthzCheck(
- ClientBasic* client,
- const NamespaceString& ns,
- const BSONObj& insertedObj,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of an authorization check for an OP_KILL_CURSORS wire protocol message.
- */
- void logKillCursorsAuthzCheck(
- ClientBasic* client,
- const NamespaceString& ns,
- long long cursorId,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of an authorization check for an OP_QUERY wire protocol message.
- */
- void logQueryAuthzCheck(
- ClientBasic* client,
- const NamespaceString& ns,
- const BSONObj& query,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of an authorization check for an OP_UPDATE wire protocol message.
- */
- void logUpdateAuthzCheck(
- ClientBasic* client,
- const NamespaceString& ns,
- const BSONObj& query,
- const BSONObj& updateObj,
- bool isUpsert,
- bool isMulti,
- ErrorCodes::Error result);
-
- /**
- * Logs the result of a createUser command.
- */
- void logCreateUser(ClientBasic* client,
- const UserName& username,
- bool password,
- const BSONObj* customData,
- const std::vector<RoleName>& roles);
-
- /**
- * Logs the result of a dropUser command.
- */
- void logDropUser(ClientBasic* client,
- const UserName& username);
-
- /**
- * Logs the result of a dropAllUsersFromDatabase command.
- */
- void logDropAllUsersFromDatabase(ClientBasic* client,
- StringData dbname);
-
- /**
- * Logs the result of a updateUser command.
- */
- void logUpdateUser(ClientBasic* client,
- const UserName& username,
- bool password,
- const BSONObj* customData,
- const std::vector<RoleName>* roles);
-
- /**
- * Logs the result of a grantRolesToUser command.
- */
- void logGrantRolesToUser(ClientBasic* client,
- const UserName& username,
- const std::vector<RoleName>& roles);
-
- /**
- * Logs the result of a revokeRolesFromUser command.
- */
- void logRevokeRolesFromUser(ClientBasic* client,
- const UserName& username,
- const std::vector<RoleName>& roles);
-
- /**
- * Logs the result of a createRole command.
- */
- void logCreateRole(ClientBasic* client,
- const RoleName& role,
- const std::vector<RoleName>& roles,
- const PrivilegeVector& privileges);
-
- /**
- * Logs the result of a updateRole command.
- */
- void logUpdateRole(ClientBasic* client,
- const RoleName& role,
- const std::vector<RoleName>* roles,
- const PrivilegeVector* privileges);
-
- /**
- * Logs the result of a dropRole command.
- */
- void logDropRole(ClientBasic* client,
- const RoleName& role);
-
- /**
- * Logs the result of a dropAllRolesForDatabase command.
- */
- void logDropAllRolesFromDatabase(ClientBasic* client,
- StringData dbname);
-
- /**
- * Logs the result of a grantRolesToRole command.
- */
- void logGrantRolesToRole(ClientBasic* client,
- const RoleName& role,
- const std::vector<RoleName>& roles);
-
- /**
- * Logs the result of a revokeRolesFromRole command.
- */
- void logRevokeRolesFromRole(ClientBasic* client,
- const RoleName& role,
- const std::vector<RoleName>& roles);
-
- /**
- * Logs the result of a grantPrivilegesToRole command.
- */
- void logGrantPrivilegesToRole(ClientBasic* client,
- const RoleName& role,
- const PrivilegeVector& privileges);
-
- /**
- * Logs the result of a revokePrivilegesFromRole command.
- */
- void logRevokePrivilegesFromRole(ClientBasic* client,
- const RoleName& role,
- const PrivilegeVector& privileges);
-
- /**
- * Logs the result of a replSet(Re)config command.
- */
- void logReplSetReconfig(ClientBasic* client,
- const BSONObj* oldConfig,
- const BSONObj* newConfig);
-
- /**
- * Logs the result of an ApplicationMessage command.
- */
- void logApplicationMessage(ClientBasic* client,
- StringData msg);
-
- /**
- * Logs the result of a shutdown command.
- */
- void logShutdown(ClientBasic* client);
-
- /**
- * Logs the result of a createIndex command.
- */
- void logCreateIndex(ClientBasic* client,
- const BSONObj* indexSpec,
- StringData indexname,
- StringData nsname);
-
- /**
- * Logs the result of a createCollection command.
- */
- void logCreateCollection(ClientBasic* client,
- StringData nsname);
-
- /**
- * Logs the result of a createDatabase command.
- */
- void logCreateDatabase(ClientBasic* client,
- StringData dbname);
-
-
- /**
- * Logs the result of a dropIndex command.
- */
- void logDropIndex(ClientBasic* client,
- StringData indexname,
- StringData nsname);
-
- /**
- * Logs the result of a dropCollection command.
- */
- void logDropCollection(ClientBasic* client,
- StringData nsname);
-
- /**
- * Logs the result of a dropDatabase command.
- */
- void logDropDatabase(ClientBasic* client,
- StringData dbname);
-
- /**
- * Logs a collection rename event.
- */
- void logRenameCollection(ClientBasic* client,
- StringData source,
- StringData target);
-
- /**
- * Logs the result of a enableSharding command.
- */
- void logEnableSharding(ClientBasic* client,
- StringData dbname);
-
- /**
- * Logs the result of a addShard command.
- */
- void logAddShard(ClientBasic* client,
- StringData name,
- const std::string& servers,
- long long maxSize);
-
- /**
- * Logs the result of a removeShard command.
- */
- void logRemoveShard(ClientBasic* client,
- StringData shardname);
-
- /**
- * Logs the result of a shardCollection command.
- */
- void logShardCollection(ClientBasic* client,
- StringData ns,
- const BSONObj& keyPattern,
- bool unique);
-
-
- /*
- * Appends an array of user/db pairs and an array of role/db pairs
- * to the provided metadata builder. The users and roles are extracted from the current client.
- * They are to be the impersonated users and roles for a Command run by an internal user.
- */
- void writeImpersonatedUsersToMetadata(BSONObjBuilder* metadataBob);
-
- /*
- * Looks for an 'impersonatedUsers' field. This field is used by mongos to
- * transmit the usernames of the currently authenticated user when it runs commands
- * on a shard using internal user authentication. Auditing uses this information
- * to properly ascribe users to actions. This is necessary only for implicit actions that
- * mongos cannot properly audit itself; examples are implicit collection and database creation.
- * This function requires that the field is the last field in the bson object; it edits the
- * command BSON to efficiently remove the field before returning.
- *
- * cmdObj [in, out]: If any impersonated users field exists, it will be parsed and removed.
- * parsedUserNames [out]: populated with parsed usernames
- * fieldIsPresent [out]: true if impersonatedUsers field was present in the object
- */
- void parseAndRemoveImpersonatedUsersField(
- BSONObj cmdObj,
- std::vector<UserName>* parsedUserNames,
- bool* fieldIsPresent);
-
- /*
- * Looks for an 'impersonatedRoles' field. This field is used by mongos to
- * transmit the roles of the currently authenticated user when it runs commands
- * on a shard using internal user authentication. Auditing uses this information
- * to properly ascribe user roles to actions. This is necessary only for implicit actions that
- * mongos cannot properly audit itself; examples are implicit collection and database creation.
- * This function requires that the field is the last field in the bson object; it edits the
- * command BSON to efficiently remove the field before returning.
- *
- * cmdObj [in, out]: If any impersonated roles field exists, it will be parsed and removed.
- * parsedRoleNames [out]: populated with parsed user rolenames
- * fieldIsPresent [out]: true if impersonatedRoles field was present in the object
- */
- void parseAndRemoveImpersonatedRolesField(
- BSONObj cmdObj,
- std::vector<RoleName>* parsedRoleNames,
- bool* fieldIsPresent);
+/**
+ * Logs the result of an authentication attempt.
+ */
+void logAuthentication(ClientBasic* client,
+ StringData mechanism,
+ const UserName& user,
+ ErrorCodes::Error result);
+
+//
+// Authorization (authz) logging functions.
+//
+// These functions generate log messages describing the disposition of access control
+// checks.
+//
+
+/**
+ * Logs the result of a command authorization check.
+ */
+void logCommandAuthzCheck(ClientBasic* client,
+ const std::string& dbname,
+ const BSONObj& cmdObj,
+ Command* command,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of an authorization check for an OP_DELETE wire protocol message.
+ */
+void logDeleteAuthzCheck(ClientBasic* client,
+ const NamespaceString& ns,
+ const BSONObj& pattern,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of an authorization check for an OP_GET_MORE wire protocol message.
+ */
+void logGetMoreAuthzCheck(ClientBasic* client,
+ const NamespaceString& ns,
+ long long cursorId,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of an authorization check for an OP_INSERT wire protocol message.
+ */
+void logInsertAuthzCheck(ClientBasic* client,
+ const NamespaceString& ns,
+ const BSONObj& insertedObj,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of an authorization check for an OP_KILL_CURSORS wire protocol message.
+ */
+void logKillCursorsAuthzCheck(ClientBasic* client,
+ const NamespaceString& ns,
+ long long cursorId,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of an authorization check for an OP_QUERY wire protocol message.
+ */
+void logQueryAuthzCheck(ClientBasic* client,
+ const NamespaceString& ns,
+ const BSONObj& query,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of an authorization check for an OP_UPDATE wire protocol message.
+ */
+void logUpdateAuthzCheck(ClientBasic* client,
+ const NamespaceString& ns,
+ const BSONObj& query,
+ const BSONObj& updateObj,
+ bool isUpsert,
+ bool isMulti,
+ ErrorCodes::Error result);
+
+/**
+ * Logs the result of a createUser command.
+ */
+void logCreateUser(ClientBasic* client,
+ const UserName& username,
+ bool password,
+ const BSONObj* customData,
+ const std::vector<RoleName>& roles);
+
+/**
+ * Logs the result of a dropUser command.
+ */
+void logDropUser(ClientBasic* client, const UserName& username);
+
+/**
+ * Logs the result of a dropAllUsersFromDatabase command.
+ */
+void logDropAllUsersFromDatabase(ClientBasic* client, StringData dbname);
+
+/**
+ * Logs the result of a updateUser command.
+ */
+void logUpdateUser(ClientBasic* client,
+ const UserName& username,
+ bool password,
+ const BSONObj* customData,
+ const std::vector<RoleName>* roles);
+
+/**
+ * Logs the result of a grantRolesToUser command.
+ */
+void logGrantRolesToUser(ClientBasic* client,
+ const UserName& username,
+ const std::vector<RoleName>& roles);
+
+/**
+ * Logs the result of a revokeRolesFromUser command.
+ */
+void logRevokeRolesFromUser(ClientBasic* client,
+ const UserName& username,
+ const std::vector<RoleName>& roles);
+
+/**
+ * Logs the result of a createRole command.
+ */
+void logCreateRole(ClientBasic* client,
+ const RoleName& role,
+ const std::vector<RoleName>& roles,
+ const PrivilegeVector& privileges);
+
+/**
+ * Logs the result of a updateRole command.
+ */
+void logUpdateRole(ClientBasic* client,
+ const RoleName& role,
+ const std::vector<RoleName>* roles,
+ const PrivilegeVector* privileges);
+
+/**
+ * Logs the result of a dropRole command.
+ */
+void logDropRole(ClientBasic* client, const RoleName& role);
+
+/**
+ * Logs the result of a dropAllRolesForDatabase command.
+ */
+void logDropAllRolesFromDatabase(ClientBasic* client, StringData dbname);
+
+/**
+ * Logs the result of a grantRolesToRole command.
+ */
+void logGrantRolesToRole(ClientBasic* client,
+ const RoleName& role,
+ const std::vector<RoleName>& roles);
+
+/**
+ * Logs the result of a revokeRolesFromRole command.
+ */
+void logRevokeRolesFromRole(ClientBasic* client,
+ const RoleName& role,
+ const std::vector<RoleName>& roles);
+
+/**
+ * Logs the result of a grantPrivilegesToRole command.
+ */
+void logGrantPrivilegesToRole(ClientBasic* client,
+ const RoleName& role,
+ const PrivilegeVector& privileges);
+
+/**
+ * Logs the result of a revokePrivilegesFromRole command.
+ */
+void logRevokePrivilegesFromRole(ClientBasic* client,
+ const RoleName& role,
+ const PrivilegeVector& privileges);
+
+/**
+ * Logs the result of a replSet(Re)config command.
+ */
+void logReplSetReconfig(ClientBasic* client, const BSONObj* oldConfig, const BSONObj* newConfig);
+
+/**
+ * Logs the result of an ApplicationMessage command.
+ */
+void logApplicationMessage(ClientBasic* client, StringData msg);
+
+/**
+ * Logs the result of a shutdown command.
+ */
+void logShutdown(ClientBasic* client);
+
+/**
+ * Logs the result of a createIndex command.
+ */
+void logCreateIndex(ClientBasic* client,
+ const BSONObj* indexSpec,
+ StringData indexname,
+ StringData nsname);
+
+/**
+ * Logs the result of a createCollection command.
+ */
+void logCreateCollection(ClientBasic* client, StringData nsname);
+
+/**
+ * Logs the result of a createDatabase command.
+ */
+void logCreateDatabase(ClientBasic* client, StringData dbname);
+
+
+/**
+ * Logs the result of a dropIndex command.
+ */
+void logDropIndex(ClientBasic* client, StringData indexname, StringData nsname);
+
+/**
+ * Logs the result of a dropCollection command.
+ */
+void logDropCollection(ClientBasic* client, StringData nsname);
+
+/**
+ * Logs the result of a dropDatabase command.
+ */
+void logDropDatabase(ClientBasic* client, StringData dbname);
+
+/**
+ * Logs a collection rename event.
+ */
+void logRenameCollection(ClientBasic* client, StringData source, StringData target);
+
+/**
+ * Logs the result of a enableSharding command.
+ */
+void logEnableSharding(ClientBasic* client, StringData dbname);
+
+/**
+ * Logs the result of a addShard command.
+ */
+void logAddShard(ClientBasic* client,
+ StringData name,
+ const std::string& servers,
+ long long maxSize);
+
+/**
+ * Logs the result of a removeShard command.
+ */
+void logRemoveShard(ClientBasic* client, StringData shardname);
+
+/**
+ * Logs the result of a shardCollection command.
+ */
+void logShardCollection(ClientBasic* client, StringData ns, const BSONObj& keyPattern, bool unique);
+
+
+/*
+ * Appends an array of user/db pairs and an array of role/db pairs
+ * to the provided metadata builder. The users and roles are extracted from the current client.
+ * They are to be the impersonated users and roles for a Command run by an internal user.
+ */
+void writeImpersonatedUsersToMetadata(BSONObjBuilder* metadataBob);
+
+/*
+ * Looks for an 'impersonatedUsers' field. This field is used by mongos to
+ * transmit the usernames of the currently authenticated user when it runs commands
+ * on a shard using internal user authentication. Auditing uses this information
+ * to properly ascribe users to actions. This is necessary only for implicit actions that
+ * mongos cannot properly audit itself; examples are implicit collection and database creation.
+ * This function requires that the field is the last field in the bson object; it edits the
+ * command BSON to efficiently remove the field before returning.
+ *
+ * cmdObj [in, out]: If any impersonated users field exists, it will be parsed and removed.
+ * parsedUserNames [out]: populated with parsed usernames
+ * fieldIsPresent [out]: true if impersonatedUsers field was present in the object
+ */
+void parseAndRemoveImpersonatedUsersField(BSONObj cmdObj,
+ std::vector<UserName>* parsedUserNames,
+ bool* fieldIsPresent);
+
+/*
+ * Looks for an 'impersonatedRoles' field. This field is used by mongos to
+ * transmit the roles of the currently authenticated user when it runs commands
+ * on a shard using internal user authentication. Auditing uses this information
+ * to properly ascribe user roles to actions. This is necessary only for implicit actions that
+ * mongos cannot properly audit itself; examples are implicit collection and database creation.
+ * This function requires that the field is the last field in the bson object; it edits the
+ * command BSON to efficiently remove the field before returning.
+ *
+ * cmdObj [in, out]: If any impersonated roles field exists, it will be parsed and removed.
+ * parsedRoleNames [out]: populated with parsed user rolenames
+ * fieldIsPresent [out]: true if impersonatedRoles field was present in the object
+ */
+void parseAndRemoveImpersonatedRolesField(BSONObj cmdObj,
+ std::vector<RoleName>* parsedRoleNames,
+ bool* fieldIsPresent);
} // namespace audit
} // namespace mongo