From 3afb4b31149e5a747e25f2aab611621a99bf8667 Mon Sep 17 00:00:00 2001 From: "sergey.galtsev" Date: Thu, 11 Feb 2021 11:45:34 -0800 Subject: SERVER-53962 Move UMC audit hooks to OpObservers --- src/mongo/db/audit.cpp | 16 +++++++++++++++- src/mongo/db/audit.h | 20 +++++++++++++++++++- src/mongo/db/auth/SConscript | 1 + src/mongo/db/auth/auth_op_observer.cpp | 7 +++++++ src/mongo/db/catalog/database_impl.cpp | 2 +- 5 files changed, 43 insertions(+), 3 deletions(-) diff --git a/src/mongo/db/audit.cpp b/src/mongo/db/audit.cpp index 43eadc2954c..ad06391fc5f 100644 --- a/src/mongo/db/audit.cpp +++ b/src/mongo/db/audit.cpp @@ -177,7 +177,9 @@ void mongo::audit::logDropView(Client* client, void mongo::audit::logDropDatabase(Client* client, StringData dbname) {} -void mongo::audit::logRenameCollection(Client* client, StringData source, StringData target) {} +void mongo::audit::logRenameCollection(Client* client, + const NamespaceString& source, + const NamespaceString& target) {} void mongo::audit::logEnableSharding(Client* client, StringData dbname) {} @@ -197,4 +199,16 @@ void mongo::audit::logRefineCollectionShardKey(Client* client, StringData ns, const BSONObj& keyPattern) {} +void mongo::audit::logInsertOperation(Client* client, + const NamespaceString& nss, + const BSONObj& doc) {} + +void mongo::audit::logUpdateOperation(Client* client, + const NamespaceString& nss, + const BSONObj& doc) {} + +void mongo::audit::logRemoveOperation(Client* client, + const NamespaceString& nss, + const BSONObj& doc) {} + #endif diff --git a/src/mongo/db/audit.h b/src/mongo/db/audit.h index 5e2c0d633e5..2fef0920bdf 100644 --- a/src/mongo/db/audit.h +++ b/src/mongo/db/audit.h @@ -329,7 +329,9 @@ void logDropDatabase(Client* client, StringData dbname); /** * Logs a collection rename event. */ -void logRenameCollection(Client* client, StringData source, StringData target); +void logRenameCollection(Client* client, + const NamespaceString& source, + const NamespaceString& target); /** * Logs the result of a enableSharding command. @@ -356,5 +358,21 @@ void logShardCollection(Client* client, StringData ns, const BSONObj& keyPattern */ void logRefineCollectionShardKey(Client* client, StringData ns, const BSONObj& keyPattern); +/** + * Logs an insert of a potentially security sensitive record. + */ +void logInsertOperation(Client* client, const NamespaceString& nss, const BSONObj& doc); + +/** + * Logs an update of a potentially security sensitive record. + */ +void logUpdateOperation(Client* client, const NamespaceString& nss, const BSONObj& doc); + +/** + * Logs a deletion of a potentially security sensitive record. + */ +void logRemoveOperation(Client* client, const NamespaceString& nss, const BSONObj& doc); + + } // namespace audit } // namespace mongo diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript index e4efc6d1935..9772da3465f 100644 --- a/src/mongo/db/auth/SConscript +++ b/src/mongo/db/auth/SConscript @@ -58,6 +58,7 @@ env.Library( ], LIBDEPS_PRIVATE=[ '$BUILD_DIR/mongo/base', + '$BUILD_DIR/mongo/db/audit', '$BUILD_DIR/mongo/db/catalog/collection_options', '$BUILD_DIR/mongo/db/index/index_descriptor', '$BUILD_DIR/mongo/db/op_observer', diff --git a/src/mongo/db/auth/auth_op_observer.cpp b/src/mongo/db/auth/auth_op_observer.cpp index b70883a7df1..c8699dd3cc1 100644 --- a/src/mongo/db/auth/auth_op_observer.cpp +++ b/src/mongo/db/auth/auth_op_observer.cpp @@ -31,6 +31,7 @@ #include "mongo/db/auth/auth_op_observer.h" +#include "mongo/db/audit.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/catalog/collection_options.h" #include "mongo/db/op_observer_util.h" @@ -56,6 +57,7 @@ void AuthOpObserver::onInserts(OperationContext* opCtx, std::vector::const_iterator last, bool fromMigrate) { for (auto it = first; it != last; it++) { + audit::logInsertOperation(opCtx->getClient(), nss, it->doc); AuthorizationManager::get(opCtx->getServiceContext()) ->logOp(opCtx, "i", nss, it->doc, nullptr); } @@ -65,6 +67,9 @@ void AuthOpObserver::onUpdate(OperationContext* opCtx, const OplogUpdateEntryArg if (args.updateArgs.update.isEmpty()) { return; } + + audit::logUpdateOperation(opCtx->getClient(), args.nss, args.updateArgs.updatedDoc); + AuthorizationManager::get(opCtx->getServiceContext()) ->logOp(opCtx, "u", args.nss, args.updateArgs.update, &args.updateArgs.criteria); } @@ -72,6 +77,8 @@ void AuthOpObserver::onUpdate(OperationContext* opCtx, const OplogUpdateEntryArg void AuthOpObserver::aboutToDelete(OperationContext* opCtx, NamespaceString const& nss, BSONObj const& doc) { + audit::logRemoveOperation(opCtx->getClient(), nss, doc); + // Extract the _id field from the document. If it does not have an _id, use the // document itself as the _id. documentIdDecoration(opCtx) = doc["_id"] ? doc["_id"].wrap() : doc; diff --git a/src/mongo/db/catalog/database_impl.cpp b/src/mongo/db/catalog/database_impl.cpp index 612231be1b8..44af31437c5 100644 --- a/src/mongo/db/catalog/database_impl.cpp +++ b/src/mongo/db/catalog/database_impl.cpp @@ -525,7 +525,7 @@ Status DatabaseImpl::renameCollection(OperationContext* opCtx, NamespaceString fromNss, NamespaceString toNss, bool stayTemp) const { - audit::logRenameCollection(&cc(), fromNss.ns(), toNss.ns()); + audit::logRenameCollection(&cc(), fromNss, toNss); invariant(opCtx->lockState()->isCollectionLockedForMode(fromNss, MODE_X)); invariant(opCtx->lockState()->isCollectionLockedForMode(toNss, MODE_X)); -- cgit v1.2.1