/**
* Copyright (C) 2013 10gen Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see .
*
* As a special exception, the copyright holders give permission to link the
* code of portions of this program with the OpenSSL library under certain
* conditions as described in each individual source file and distribute
* linked combinations including the program with the OpenSSL library. You
* must comply with the GNU Affero General Public License in all respects for
* all of the code used other than as permitted herein. If you modify file(s)
* with this exception, you may extend this exception to your version of the
* file(s), but you are not obligated to do so. If you do not wish to do so,
* delete this exception statement from your version. If you delete this
* exception statement from all source files in the program, then also delete
* it in the license file.
*/
/**
* This module describes free functions for logging various operations of interest to a
* party interested in generating logs of user activity in a MongoDB server instance.
*/
#pragma once
#include "mongo/base/error_codes.h"
#include "mongo/db/auth/privilege.h"
#include "mongo/db/auth/user.h"
#include "mongo/util/net/op_msg.h"
namespace mongo {
class AuthorizationSession;
class BSONObj;
class Client;
class NamespaceString;
class OperationContext;
class StringData;
class UserName;
namespace mutablebson {
class Document;
} // namespace mutablebson
namespace audit {
/**
* Narrow API for the parts of mongo::Command used by the audit library.
*/
class CommandInterface {
public:
virtual ~CommandInterface() = default;
virtual void redactForLogging(mutablebson::Document* cmdObj) const = 0;
virtual std::string parseNs(const std::string& dbname, const BSONObj& cmdObj) const = 0;
};
/**
* Logs the result of an authentication attempt.
*/
void logAuthentication(Client* client,
StringData mechanism,
const UserName& user,
ErrorCodes::Error result);
//
// Authorization (authz) logging functions.
//
// These functions generate log messages describing the disposition of access control
// checks.
//
/**
* Logs the result of a command authorization check.
*/
void logCommandAuthzCheck(Client* client,
const OpMsgRequest& cmdObj,
CommandInterface* command,
ErrorCodes::Error result);
/**
* Logs the result of an authorization check for an OP_DELETE wire protocol message.
*/
void logDeleteAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& pattern,
ErrorCodes::Error result);
/**
* Logs the result of an authorization check for an OP_GET_MORE wire protocol message.
*/
void logGetMoreAuthzCheck(Client* client,
const NamespaceString& ns,
long long cursorId,
ErrorCodes::Error result);
/**
* Logs the result of an authorization check for an OP_INSERT wire protocol message.
*/
void logInsertAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& insertedObj,
ErrorCodes::Error result);
/**
* Logs the result of an authorization check for an OP_KILL_CURSORS wire protocol message.
*/
void logKillCursorsAuthzCheck(Client* client,
const NamespaceString& ns,
long long cursorId,
ErrorCodes::Error result);
/**
* Logs the result of an authorization check for an OP_QUERY wire protocol message.
*/
void logQueryAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& query,
ErrorCodes::Error result);
/**
* Logs the result of an authorization check for an OP_UPDATE wire protocol message.
*/
void logUpdateAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& query,
const BSONObj& updateObj,
bool isUpsert,
bool isMulti,
ErrorCodes::Error result);
/**
* Logs the result of a createUser command.
*/
void logCreateUser(Client* client,
const UserName& username,
bool password,
const BSONObj* customData,
const std::vector& roles,
const boost::optional& restrictions);
/**
* Logs the result of a dropUser command.
*/
void logDropUser(Client* client, const UserName& username);
/**
* Logs the result of a dropAllUsersFromDatabase command.
*/
void logDropAllUsersFromDatabase(Client* client, StringData dbname);
/**
* Logs the result of a updateUser command.
*/
void logUpdateUser(Client* client,
const UserName& username,
bool password,
const BSONObj* customData,
const std::vector* roles,
const boost::optional& restrictions);
/**
* Logs the result of a grantRolesToUser command.
*/
void logGrantRolesToUser(Client* client,
const UserName& username,
const std::vector& roles);
/**
* Logs the result of a revokeRolesFromUser command.
*/
void logRevokeRolesFromUser(Client* client,
const UserName& username,
const std::vector& roles);
/**
* Logs the result of a createRole command.
*/
void logCreateRole(Client* client,
const RoleName& role,
const std::vector& roles,
const PrivilegeVector& privileges,
const boost::optional& restrictions);
/**
* Logs the result of a updateRole command.
*/
void logUpdateRole(Client* client,
const RoleName& role,
const std::vector* roles,
const PrivilegeVector* privileges,
const boost::optional& restrictions);
/**
* Logs the result of a dropRole command.
*/
void logDropRole(Client* client, const RoleName& role);
/**
* Logs the result of a dropAllRolesForDatabase command.
*/
void logDropAllRolesFromDatabase(Client* client, StringData dbname);
/**
* Logs the result of a grantRolesToRole command.
*/
void logGrantRolesToRole(Client* client, const RoleName& role, const std::vector& roles);
/**
* Logs the result of a revokeRolesFromRole command.
*/
void logRevokeRolesFromRole(Client* client,
const RoleName& role,
const std::vector& roles);
/**
* Logs the result of a grantPrivilegesToRole command.
*/
void logGrantPrivilegesToRole(Client* client,
const RoleName& role,
const PrivilegeVector& privileges);
/**
* Logs the result of a revokePrivilegesFromRole command.
*/
void logRevokePrivilegesFromRole(Client* client,
const RoleName& role,
const PrivilegeVector& privileges);
/**
* Logs the result of a replSet(Re)config command.
*/
void logReplSetReconfig(Client* client, const BSONObj* oldConfig, const BSONObj* newConfig);
/**
* Logs the result of an ApplicationMessage command.
*/
void logApplicationMessage(Client* client, StringData msg);
/**
* Logs the result of a shutdown command.
*/
void logShutdown(Client* client);
/**
* Logs the result of a createIndex command.
*/
void logCreateIndex(Client* client,
const BSONObj* indexSpec,
StringData indexname,
StringData nsname);
/**
* Logs the result of a createCollection command.
*/
void logCreateCollection(Client* client, StringData nsname);
/**
* Logs the result of a createDatabase command.
*/
void logCreateDatabase(Client* client, StringData dbname);
/**
* Logs the result of a dropIndex command.
*/
void logDropIndex(Client* client, StringData indexname, StringData nsname);
/**
* Logs the result of a dropCollection command.
*/
void logDropCollection(Client* client, StringData nsname);
/**
* Logs the result of a dropDatabase command.
*/
void logDropDatabase(Client* client, StringData dbname);
/**
* Logs a collection rename event.
*/
void logRenameCollection(Client* client, StringData source, StringData target);
/**
* Logs the result of a enableSharding command.
*/
void logEnableSharding(Client* client, StringData dbname);
/**
* Logs the result of a addShard command.
*/
void logAddShard(Client* client, StringData name, const std::string& servers, long long maxSize);
/**
* Logs the result of a removeShard command.
*/
void logRemoveShard(Client* client, StringData shardname);
/**
* Logs the result of a shardCollection command.
*/
void logShardCollection(Client* client, StringData ns, const BSONObj& keyPattern, bool unique);
/*
* Appends an array of user/db pairs and an array of role/db pairs
* to the provided metadata builder. The users and roles are extracted from the current client.
* They are to be the impersonated users and roles for a Command run by an internal user.
*/
void writeImpersonatedUsersToMetadata(OperationContext* opCtx, BSONObjBuilder* metadataBob);
} // namespace audit
} // namespace mongo