MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Add new feedback Subscribe
Status Submitted
Categories Atlas
Created by Guest
Created on Mar 1, 2022

RELATED FEEDBACK

Last Database User Access

My team has found ourselves in the position of needing to iterate through the Database Access History Logs in order to discover whether or not a database user is still being used for the past t time periods. We need to have this functionality in order to guarantee a seamless credential rotation. With the current API this operation will require iterating over each cluster's access logs for the past t time periods. If I have "n" clusters and "t" time periods this is an O(n * t) runtime. I'm not really great at O() notation, but if t is greater than n I think it's worse than O(n^2) runtime. What I would recommend is adding an index on username and if I want to know if that user has been used in the past t time periods on a cluster I just use the username in the filter and if it hasn't I receive 0 results for access. To be frank, the database access log is fairly unusable without a username index because I can't filter by a useful criteria. An attacker will likely _not_ know the correct username to use or access the DB with an unauthenticated session. I can't efficiently find instances of these access with the current API. The IP index is also fairly useless unless it can support CIDR so I can identify if requests are coming from my network or outside. I think it would also be important to support a NOT query on username so I can look for accesses that are NOT using my known usernames. API I'm referencing: https://docs.atlas.mongodb.com/reference/api/access-tracking-get-database-history-clustername/
  • Attach files
  • Guest
    Jun 21, 2022
    Hi Fulton, Thanks for your ideas and suggestions. There are various ways of addressing this issue, including 1) the last access date as you noted 2) use of short-lived credentials (https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#optional-save-as-temporary-user) - possible today 3) use of LDAPS as the authentication mechanism - possible today Have you considered (2) and (3)? Salman
    Reply
  • Guest
    Mar 1, 2022
    Another approach is to just tack a last access date onto a user document but access happens so frequently that might not perform well. https://feedback.mongodb.com/forums/924145-atlas/suggestions/43977909-provide-last-login-date-for-atlas-users-via-atla
    Reply