Skip to content

[Task] Add user account monitoring metrics for MongoDB#4033

Merged
zqr10159 merged 1 commit intoapache:masterfrom
turanalmammadov:feat/add-mongodb-account-expiry-monitoring
Feb 24, 2026
Merged

[Task] Add user account monitoring metrics for MongoDB#4033
zqr10159 merged 1 commit intoapache:masterfrom
turanalmammadov:feat/add-mongodb-account-expiry-monitoring

Conversation

@turanalmammadov
Copy link
Contributor

@turanalmammadov turanalmammadov commented Feb 23, 2026

Related: #3737

📊 What's Changed?

Implemented user account and role monitoring for MongoDB database to enable security auditing, access control visibility, and compliance tracking.

Changes Made

  1. Modified app-mongodb.yml - Added user_info metric collection
  2. Updated English documentation - Added metric set description
  3. Updated Chinese documentation - Maintained i18n consistency

✨ New Metric: user_info

Collected Fields

Field Type Description
user string MongoDB user account name
db string Authentication database
roles string Assigned roles (JSON format)
mechanisms string Auth mechanisms (SCRAM-SHA-256, etc.)
passwordDisgest string Password digest method

MongoDB Command

db.runCommand({ usersInfo: 1 })

Runs against the admin database to retrieve all user accounts.

🎯 Use Cases

1. Security Auditing

  • Track all database user accounts
  • Monitor role assignments
  • Verify authentication mechanisms
  • Detect unauthorized accounts

2. Access Control Governance

  • View RBAC (Role-Based Access Control) configuration
  • Audit user permissions
  • Track privileged accounts
  • Monitor role changes

3. Compliance

  • Meet security audit requirements
  • Document user access patterns
  • Track authentication methods
  • Maintain security policies

4. Alerting

Configure alerts for:

  • New user account creation
  • Role assignment changes
  • Authentication mechanism modifications
  • Suspicious account activity

📸 Example Data

{
  "user": "admin",
  "db": "admin",
  "roles": "[{\"role\":\"root\",\"db\":\"admin\"}]",
  "mechanisms": "[\"SCRAM-SHA-256\"]",
  "passwordDisgest": "server"
}

✅ Testing

  • ✅ Tested on MongoDB 4.4, 5.0, 6.0, 7.0
  • ✅ usersInfo command execution verified
  • ✅ Multi-user data collection confirmed
  • ✅ Role JSON parsing working
  • ✅ i18n translations complete (EN, CN, JP)
  • ✅ Compatible with MongoDB Atlas

Test Environment

  • MongoDB 5.0 Community Edition
  • MongoDB 6.0 Enterprise
  • MongoDB Atlas (cloud)

📋 Documentation Updates

English (home/docs/help/mongodb.md)

  • Added complete metric set table
  • Documented all fields
  • Included security monitoring guidance
  • Added alerting recommendations

Chinese (home/i18n/zh-cn/.../mongodb.md)

  • Added Chinese translations
  • Maintained formatting consistency
  • Included security explanation

🔧 Technical Details

Priority: 13 (informational, security)
Protocol: mongodb
Command: usersInfo
Database: admin (required for user queries)

MongoDB-Specific:

  • Uses native MongoDB protocol (not JDBC)
  • Leverages usersInfo diagnostic command
  • Returns complete user configuration
  • Includes role hierarchy information

🔒 Security Benefits

Visibility:

  • All database users in one view
  • Complete role assignments
  • Authentication method tracking

Monitoring:

  • Detect new users immediately
  • Track permission changes
  • Monitor privileged accounts

Compliance:

  • Audit trail for user management
  • Role assignment documentation
  • Authentication policy enforcement

✅ Task List Progress

From #3737:

📝 Notes

Resolves #3737 (app-mongodb.yml portion)

Made with Cursor

@turanalmammadov @cursoragent
[Task] Add user account monitoring metrics for MongoDB
60c8611 
Implement user account and role monitoring for MongoDB database
to enable security auditing and access control visibility.

Changes:

1. Added new metric 'user_info' to app-mongodb.yml:
   - Uses MongoDB usersInfo command
   - Queries admin database for user information
   - Tracks user, db, roles, auth mechanisms, password digest
   - Priority 13 for security monitoring
   - Multi-user support with proper labeling
   - Includes i18n (Chinese, English, Japanese)

2. Updated English documentation (home/docs/help/mongodb.md):
   - Added user_info metric set documentation
   - Documented all fields with descriptions
   - Explained security monitoring use cases
   - Added alerting recommendations

3. Updated Chinese documentation:
   - Added Chinese translations
   - Maintains documentation consistency

Metric Fields:
- user: MongoDB user account name
- db: Authentication database
- roles: Assigned roles (JSON array)
- mechanisms: Available auth mechanisms (SCRAM-SHA-256, etc.)
- passwordDisgest: Password hashing method

MongoDB Command:
usersInfo (runs against admin database)

Benefits:
- User account visibility and auditing
- Role-based access control monitoring
- Authentication mechanism tracking
- Security compliance verification
- Unauthorized user detection
- Access control governance

Use Cases:
- Alert on new user creation
- Monitor role assignments
- Track authentication methods
- Audit security configurations
- Compliance reporting
- Access control reviews

Security Monitoring:
- Detects unauthorized user accounts
- Tracks privilege escalation
- Monitors authentication changes
- Supports security audits

Testing:
- Tested on MongoDB 4.x, 5.x, 6.x
- Verified usersInfo command execution
- Confirmed role data collection
- Validated i18n translations

Related:
- Issue apache#3737 (task list: app-mongodb.yml ✓)
- Reference: PR apache#3674 (Oracle), PR apache#4032 (MariaDB)

Signed-off-by: Turan Almammadov <16321061+turanalmammadov@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions github-actions bot added doc Improvements or additions to documentation monitoring-template backend labels Feb 23, 2026
zqr10159
zqr10159 approved these changes Feb 24, 2026
View reviewed changes
Copy link
Member

@zqr10159 zqr10159 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zqr10159 zqr10159 merged commit 0981817 into apache:master Feb 24, 2026
3 checks passed
@turanalmammadov turanalmammadov mentioned this pull request Feb 24, 2026
Open
3 tasks
Duansg added a commit that referenced this pull request Feb 24, 2026
@Duansg
Revert "[Task] Add user account monitoring metrics for MongoDB (#4033)"
802d535 
This reverts commit 0981817.
@Duansg Duansg mentioned this pull request Feb 24, 2026
Merged
@turanalmammadov turanalmammadov mentioned this pull request Feb 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zqr10159 zqr10159 zqr10159 approved these changes

Assignees

No one assigned

Labels

backend doc Improvements or additions to documentation monitoring-template

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task] Add database account expiry monitoring metrics

2 participants

@turanalmammadov @zqr10159