mirrors/mongodb
mirrors/mongodb
0
0
Fork 0
mirror of https://github.com/mongodb/mongo.git synced 2024-12-01 01:21:03 +01:00
Code Issues Releases Activity

SERVER-39820 Include client IP in log message for successful authentication

Browse Source
This commit is contained in:
Jonathan Reams 2019-03-18 14:52:38 -04:00
parent d9d6f2d08a
commit 0a847ef845
No known key found for this signature in database
GPG Key ID: BFC3C11579AD87D6
4 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
jstests/auth/logs_include_client_info.js Normal file
View File

@ -0,0 +1,29 @@
// This test just checks that the success/failure messages for authentication include the IP
// address of the client attempting to authenticate.
(function() {
const conn = MongoRunner.runMongod({auth: ""});
const admin = conn.getDB("admin");
admin.createUser({
user: "root",
pwd: "root",
roles: ["root"],
});
assert(admin.auth("root", "root"));
const failConn = new Mongo(conn.host);
failConn.getDB("admin").auth("root", "toot");
const log = assert.commandWorked(admin.runCommand({getLog: "global"})).log;
const successRegex =
/Successfully authenticated as principal root on admin from client (?:\d{1,3}\.){3}\d{1,3}:\d+/;
const failRegex =
/SASL SCRAM-SHA-\d+ authentication failed for root on admin from client (?:\d{1,3}\.){3}\d{1,3}:\d+/;
assert(log.some((line) => successRegex.test(line)));
assert(log.some((line) => failRegex.test(line)));
MongoRunner.stopMongod(conn);
})();

11
jstests/ssl/x509_client.js
View File

@ -44,7 +44,8 @@ function authAndTest(mongo) {
user: CLIENT_USER,
roles: [
{'role': 'userAdminAnyDatabase', 'db': 'admin'},
{'role': 'readWriteAnyDatabase', 'db': 'admin'}
{'role': 'readWriteAnyDatabase', 'db': 'admin'},
{'role': 'clusterMonitor', 'db': 'admin'},
]
});
@ -70,6 +71,14 @@ function authAndTest(mongo) {
assert(external.runCommand({authenticate: 1, mechanism: 'MONGODB-X509'}).ok,
"runCommand authentication with valid client cert and no user field failed");
// Check that there's a "Successfully authenticated" message that includes the client IP
const log =
assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
const successRegex = new RegExp(`Successfully authenticated as principal ${CLIENT_USER} on ` +
`\\$external from client (?:\\d{1,3}\\.){3}\\d{1,3}:\\d+`);
assert(log.some((line) => successRegex.test(line)));
// Check that we can add a user and read data
test.createUser(
{user: "test", pwd: "test", roles: [{'role': 'readWriteAnyDatabase', 'db': 'admin'}]});

3
src/mongo/db/auth/sasl_commands.cpp
View File

@ -210,7 +210,8 @@ Status doSaslStep(OperationContext* opCtx,
if (!serverGlobalParams.quiet.load()) {
log() << "Successfully authenticated as principal " << mechanism.getPrincipalName()
<< " on " << mechanism.getAuthenticationDatabase();
<< " on " << mechanism.getAuthenticationDatabase() << " from client "
<< opCtx->getClient()->session()->remote();
}
}
return Status::OK();

9
src/mongo/db/commands/authentication_commands.cpp
View File

@ -285,8 +285,7 @@ bool CmdAuthenticate::run(OperationContext* opCtx,
if (!status.isOK()) {
if (!serverGlobalParams.quiet.load()) {
auto const client = opCtx->getClient();
log() << "Failed to authenticate " << user
<< (client->hasRemote() ? (" from client " + client->getRemote().toString()) : "")
log() << "Failed to authenticate " << user << " from client " << client->getRemote()
<< " with mechanism " << mechanism << ": " << status;
}
sleepmillis(saslGlobalParams.authFailedDelay.load());
@ -299,6 +298,12 @@ bool CmdAuthenticate::run(OperationContext* opCtx,
}
return false;
}
if (!serverGlobalParams.quiet.load()) {
log() << "Successfully authenticated as principal " << user.getUser() << " on "
<< user.getDB() << " from client " << opCtx->getClient()->session()->remote();
}
result.append("dbname", user.getDB());
result.append("user", user.getUser());
return true;