* This module describes free functions for logging various operations of interest to a
* party interested in generating logs of user activity in a MongoDB server instance.
#pragma once
#include "mongo/base/error_codes.h"
#include "mongo/db/auth/privilege.h"
#include "mongo/db/auth/user.h"
#include "mongo/util/net/op_msg.h"
namespace mongo {
class AuthorizationSession;
class BSONObj;
class Client;
class CommandInterface;
class NamespaceString;
class OperationContext;
class StringData;
class UserName;
namespace audit {
* Logs the result of an authentication attempt.
void logAuthentication(Client* client,
StringData mechanism,
const UserName& user,
ErrorCodes::Error result);
// Authorization (authz) logging functions.
// These functions generate log messages describing the disposition of access control
// checks.
* Logs the result of a command authorization check.
void logCommandAuthzCheck(Client* client,
const OpMsgRequest& cmdObj,
CommandInterface* command,
ErrorCodes::Error result);
* Logs the result of an authorization check for an OP_DELETE wire protocol message.
void logDeleteAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& pattern,
ErrorCodes::Error result);
* Logs the result of an authorization check for an OP_GET_MORE wire protocol message.
void logGetMoreAuthzCheck(Client* client,
const NamespaceString& ns,
long long cursorId,
ErrorCodes::Error result);
* Logs the result of an authorization check for an OP_INSERT wire protocol message.
void logInsertAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& insertedObj,
ErrorCodes::Error result);
* Logs the result of an authorization check for an OP_KILL_CURSORS wire protocol message.
void logKillCursorsAuthzCheck(Client* client,
const NamespaceString& ns,
long long cursorId,
ErrorCodes::Error result);
* Logs the result of an authorization check for an OP_QUERY wire protocol message.
void logQueryAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& query,
ErrorCodes::Error result);
* Logs the result of an authorization check for an OP_UPDATE wire protocol message.
void logUpdateAuthzCheck(Client* client,
const NamespaceString& ns,
const BSONObj& query,
const BSONObj& updateObj,
bool isUpsert,
bool isMulti,
ErrorCodes::Error result);
* Logs the result of a createUser command.
void logCreateUser(Client* client,
const UserName& username,
bool password,
const BSONObj* customData,
const std::vector& roles,
const boost::optional& restrictions);
* Logs the result of a dropUser command.
void logDropUser(Client* client, const UserName& username);
* Logs the result of a dropAllUsersFromDatabase command.
void logDropAllUsersFromDatabase(Client* client, StringData dbname);
* Logs the result of a updateUser command.
void logUpdateUser(Client* client,
const UserName& username,
bool password,
const BSONObj* customData,
const std::vector* roles,
const boost::optional& restrictions);
* Logs the result of a grantRolesToUser command.
void logGrantRolesToUser(Client* client,
const UserName& username,
const std::vector& roles);
* Logs the result of a revokeRolesFromUser command.
void logRevokeRolesFromUser(Client* client,
const UserName& username,
const std::vector& roles);
* Logs the result of a createRole command.
void logCreateRole(Client* client,
const RoleName& role,
const std::vector& roles,
const PrivilegeVector& privileges,
const boost::optional& restrictions);
* Logs the result of a updateRole command.
void logUpdateRole(Client* client,
const RoleName& role,
const std::vector* roles,
const PrivilegeVector* privileges,
const boost::optional& restrictions);
* Logs the result of a dropRole command.
void logDropRole(Client* client, const RoleName& role);
* Logs the result of a dropAllRolesForDatabase command.
void logDropAllRolesFromDatabase(Client* client, StringData dbname);
* Logs the result of a grantRolesToRole command.
void logGrantRolesToRole(Client* client, const RoleName& role, const std::vector& roles);
* Logs the result of a revokeRolesFromRole command.
void logRevokeRolesFromRole(Client* client,
const RoleName& role,
const std::vector& roles);
* Logs the result of a grantPrivilegesToRole command.
void logGrantPrivilegesToRole(Client* client,
const RoleName& role,
const PrivilegeVector& privileges);
* Logs the result of a revokePrivilegesFromRole command.
void logRevokePrivilegesFromRole(Client* client,
const RoleName& role,
const PrivilegeVector& privileges);
* Logs the result of a replSet(Re)config command.
void logReplSetReconfig(Client* client, const BSONObj* oldConfig, const BSONObj* newConfig);
* Logs the result of an ApplicationMessage command.
void logApplicationMessage(Client* client, StringData msg);
* Logs the result of a shutdown command.
void logShutdown(Client* client);
* Logs the result of a createIndex command.
void logCreateIndex(Client* client,
const BSONObj* indexSpec,
StringData indexname,
StringData nsname);
* Logs the result of a createCollection command.
void logCreateCollection(Client* client, StringData nsname);
* Logs the result of a createDatabase command.
void logCreateDatabase(Client* client, StringData dbname);
* Logs the result of a dropIndex command.
void logDropIndex(Client* client, StringData indexname, StringData nsname);
* Logs the result of a dropCollection command.
void logDropCollection(Client* client, StringData nsname);
* Logs the result of a dropDatabase command.
void logDropDatabase(Client* client, StringData dbname);
* Logs a collection rename event.
void logRenameCollection(Client* client, StringData source, StringData target);
* Logs the result of a enableSharding command.
void logEnableSharding(Client* client, StringData dbname);
* Logs the result of a addShard command.
void logAddShard(Client* client, StringData name, const std::string& servers, long long maxSize);
* Logs the result of a removeShard command.
void logRemoveShard(Client* client, StringData shardname);
* Logs the result of a shardCollection command.
void logShardCollection(Client* client, StringData ns, const BSONObj& keyPattern, bool unique);
* Appends an array of user/db pairs and an array of role/db pairs
* to the provided metadata builder. The users and roles are extracted from the current client.
* They are to be the impersonated users and roles for a Command run by an internal user.
void writeImpersonatedUsersToMetadata(OperationContext* opCtx, BSONObjBuilder* metadataBob);
} // namespace audit
} // namespace mongo