DOCSP-26175 auditConfig Cluster Parameters (#4790)

* DOCSP-32722 Cluster Parameter Reference Page (#4471) (#4682)

* DOCSP-32722 Cluster Parameter Reference Page

* wording

* *

* typo

* JA feedback

* adjust wording under Syntax section

* nit edits

* DOCSP-32723 changeStreamOptions Reference Page (#4592) (#4710)

* DOCSP-32723 changeStreamOptions Reference Page

* text styling

* indentations

* move text to include

* JD feedback

* DOCSP-32724 auditConfig Cluster Parameter (#4691)

* DOCSP-32724 auditConfig Cluster Parameter

* build errors

* add to release notes

* build errors

* JD feedback [still in progress]

* deprecation warnings

* compatibility changes

* external review feedback

* typo

Author: ajhuh-mdb

snooty.toml

@@ -120,6 +120,7 @@ toc_landing_pages = [
    "/reference/aggregation",
    "/reference/bson-types",
    "/reference/change-events",
+   "/reference/cluster-parameters",
    "/reference/collation",
    "/reference/command",
    "/reference/command/nav-administration",

source/includes/deprecated-get-set-auditconfig.rst

@@ -0,0 +1,2 @@
+*Deprecated in version 7.1:* Use the :parameter:`auditConfig` cluster 
+parameter instead.

source/includes/fact-auditConfig.rst

@@ -0,0 +1,2 @@
+Object that contains information on audit configurations from 
+:binary:`~bin.mongod` and :binary:`~bin.mongos` server instances. 

source/includes/fact-changeStreamOptions.rst

@@ -0,0 +1,5 @@
+An object that contains :ref:`change stream <changeStreams>` configuration 
+options. 
+   
+You can only set ``changeStreamOptions`` on :binary:`~bin.mongos` or a 
+replica set primary. The value is set cluster-wide.

source/includes/fact-enable-runtime-audit-configuration.rst

@@ -23,5 +23,5 @@ The server logs an error and fails to start if:
 -  either :setting:`auditLog.filter` or :parameter:`auditAuthorizationSuccess` is set.
 
 To modify audit filters and the :parameter:`auditAuthorizationSuccess` parameter at
-runtime, see :dbcommand:`setAuditConfig`.
+runtime, see :parameter:`auditConfig`.
 

source/reference.txt

@@ -106,6 +106,7 @@ Reference
    :titlesonly: 
    :hidden: 
 
+   /reference/cluster-parameters
    /reference/collation
    /reference/configuration-options
    /reference/connection-string
@@ -116,7 +117,6 @@ Reference
    /reference/explain-results
    /reference/glossary
    /reference/log-messages
-   /reference/cluster-parameters
    /reference/limits
    /reference/program
    /reference/parameters

source/reference/audit-message.txt

@@ -1,3 +1,5 @@
+.. _audit-message:
+
 ===========================
 System Event Audit Messages
 ===========================

source/reference/cluster-parameters.txt

@@ -1,8 +1,8 @@
 .. _cluster-parameters:
 
-==========================
-MongoDB Cluster Parameters
-==========================
+==================
+Cluster Parameters
+==================
 
 .. default-domain:: mongodb
 
@@ -12,25 +12,28 @@ MongoDB Cluster Parameters
    :depth: 2
    :class: singlecol
 
-Synopsis
---------
+You can use MongoDB cluster parameters to specify configuration options that 
+affect all nodes in a replica set or sharded cluster.
 
-You can specify configuration options which affect all nodes in a 
-replica set or sharded cluster. To set these options, use the 
-:dbcommand:`setClusterParameter` command:
+Syntax
+------
+
+To set cluster parameters for your deployment, run the following command on the 
+``admin`` database:
 
 .. code-block:: javascript
 
    db.adminCommand( { setClusterParameter:{ <parameter>: <value> } } )
 
-To view the current values of cluster parameters, use the 
-:dbcommand:`getClusterParameter` command: 
+To view the current cluster parameter values, run the following command on the 
+``admin`` database: 
 
 .. code-block:: javascript
 
-   db.adminCommand( { getClusterParameter: <parameter> } )
+   db.adminCommand( { getClusterParameter: "*" } )
 
-.. include:: /includes/reference/fact-setClusterParameter-availability.rst
+To learn more about setting and viewing cluster parameters, see 
+:dbcommand:`setClusterParameter` and :dbcommand:`getClusterParameter`.
 
 Parameters
 ----------
@@ -41,48 +44,40 @@ Parameters
 
 .. |both| replace:: Available for both :binary:`~bin.mongod` and :binary:`~bin.mongos`.
 
-.. parameter:: changeStreamOptions
-
-   .. versionadded:: 6.0
-
-   |both|
-   
-   This is an object containing :ref:`change stream <change-streams-update-event>` 
-   configuration options. 
-
-   You can only set ``changeStreamOptions`` on mongos or a 
-   replica set primary. The value is set cluster-wide.
-   
-   .. parameter:: changeStreamOptions.preAndPostImages.expireAfterSeconds
-   
-      .. versionadded:: 6.0
-
-      *Default*: off
-   
-      Controls the retention policy of change stream pre- and post-images.
-      Pre- and post-images are the versions of a document before and after 
-      document modification respectively. ``expireAfterSeconds`` 
-      controls how long pre- and post-images are retained. 
-
-      When ``expireAfterSeconds`` is ``off``, MongoDB uses the default retention 
-      policy: pre- and post-images are retained until the corresponding change 
-      stream events are removed from the :term:`oplog`.  
-
-      To specify the minimum pre- and post-image retention time:
-      
-      - Set ``expireAfterSeconds`` using an integer. 
-      
-      - If a change stream event is removed from the oplog, then the 
-        corresponding pre- and post-images are also deleted regardless of the 
-        ``expireAfterSeconds`` pre- and post-image retention time.
-
-      The following example sets the retention time for pre- and post-images in 
-      change streams to ``100 seconds``:
-
-      .. code-block:: javascript
-
-         db.runCommand( {
-            setClusterParameter: {
-            changeStreamOptions: { preAndPostImages: { expireAfterSeconds: 100 } }
-            }
-         } )
+MongoDB provides the following cluster parameters:
+
+.. list-table::
+   :widths: 20, 30, 50
+   :header-rows: 1
+
+   * - Name
+
+     - Availability 
+
+     - Description
+
+   * - :parameter:`auditConfig`
+
+     - |both|
+
+     - .. include:: /includes/fact-auditConfig.rst
+
+   * - :parameter:`changeStreamOptions`
+
+     - |both|
+
+     - .. include:: /includes/fact-changeStreamOptions.rst
+
+Learn More 
+----------
+
+- :dbcommand:`getClusterParameter`
+
+- :dbcommand:`setClusterParameter`
+
+.. toctree::
+   :titlesonly:
+   :hidden:
+
+   /reference/cluster-parameters/auditConfig
+   /reference/cluster-parameters/changeStreamOptions

source/reference/cluster-parameters/auditConfig.txt

@@ -0,0 +1,182 @@
+.. _auditConfig:
+
+===========
+auditConfig
+===========
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. |both| replace:: Available for both :binary:`~bin.mongod` and :binary:`~bin.mongos`.
+
+Definition 
+----------
+
+.. parameter:: auditConfig
+
+   .. versionadded:: 7.1
+
+   |both|
+
+   .. include:: /includes/fact-auditConfig.rst
+
+Syntax 
+------
+
+To set ``auditConfig`` for your deployment, run the following command on 
+the ``admin`` database:
+
+.. code-block:: javascript
+
+   db.adminCommand( { setClusterParameter: { auditConfig: <value> } } )
+
+To view current values for the ``auditConfig`` cluster parameter, run 
+the following command on the ``admin`` database: 
+
+.. code-block:: javascript
+
+   db.adminCommand( { getClusterParameter: "auditConfig" } )
+
+Parameter Fields
+----------------
+
+.. parameter:: auditConfig.auditAuthorizationSuccess
+
+   *Type*: boolean
+
+   *Default*: false
+
+   Enables the :ref:`auditing <auditing>` of authorization
+   successes for the :ref:`authCheck <audit-action-details-results>`
+   action.
+
+   To audit read and write operations, ``auditConfig.auditAuthorizationSuccess`` 
+   must be set to ``true``.
+
+   When ``auditConfig.auditAuthorizationSuccess`` is ``false``, the
+   audit system only logs the authorization failures for ``authCheck``. When 
+   :parameter:`auditAuthorizationSuccess` is ``false``, auditing has less 
+   performance impact because the audit system only logs authorization failures.
+
+.. parameter:: auditConfig.filter
+
+   *Type*: document
+
+   *Default*: none
+
+   Filter expression that controls which :ref:`types of operations 
+   <audit-action-details-results>` that the :ref:`audit system <auditing>` 
+   records. 
+
+   The document fields can be :ref:`any field in the audit message
+   <audit-message>`, including fields returned in the
+   :ref:`param <audit-action-details-results>` document. The field values are 
+   :ref:`query condition expressions <query-selectors>`.
+
+   To view a sample filter document, see the :ref:`Examples section 
+   <auditconfig-example>`. 
+
+Behavior
+--------
+
+Auditing must be enabled to use ``auditConfig``.
+
+Retrieving Audit Configurations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If :ref:`runtime audit configuration <configure-audit-filters-at-runtime>`
+is enabled, the ``auditAuthorizationSuccess`` parameter doesn't appear in the 
+``mongod`` or ``mongos`` configuration file. The server will fail to start if 
+the parameter is present.
+
+If you run ``getClusterParameter`` on ``auditConfig``, nodes that do not
+participate in a runtime audit configuration return their current configuration 
+file settings for ``auditLog.filter`` and 
+``setParameter.auditAuthorizationSuccess``.
+
+Setting Audit Configurations 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When you set audit configurations with :dbcommand:`setClusterParameter`, changes 
+immediately take effect on all :ref:`config servers <sharding-config-server>` 
+and shards in a sharded cluster.
+
+Setting too wide of an audit filter or enabling 
+``auditConfig.auditAuthorizationSuccess`` can degrade performance.
+
+.. _auditconfig-example:
+
+Example 
+-------
+
+The following example uses the ``setClusterParameter`` command to enable 
+auditing when a collection is created or deleted. The audit messages have been 
+reformatted. They appear on a single line in the log file.
+
+.. code-block:: javascript
+
+   db.adminCommand( 
+      { 
+         setClusterParameter: { 
+            auditConfig: {
+               filter: { 
+                  atype: {
+                     $in: [ "createCollection", "dropCollection" ]
+                  }
+               }, 
+               auditAuthorizationSuccess: false
+            }
+         } 
+      } 
+   )
+
+After setting the ``auditConfig`` parameter, if you create an ``inventory`` 
+collection in the ``sales`` database, the audit system logs a message that 
+resembles the following:
+
+.. code-block:: javascript
+   .. copyable: false
+
+   {
+      "atype" : "createCollection",
+      "ts" : { "$date" : "2021-08-09T13:45:05.372+00:00" },
+      "uuid" : { "$binary" : "RKU/YLizS6K9se2GUU7ZVQ==", "$type" : "04" },
+      "local" : { "ip" : "127.0.0.1", "port" : 27502 },
+      "remote" : { "ip" : "127.0.0.1", "port" : 51918 },
+      "users" : [],
+      "roles" : [],
+      "param" : { "ns" : "sales.inventory" },
+      "result" : 0
+   }
+
+If the ``inventory`` collection is dropped from the ``sales`` database, the 
+audit system logs a message similar to the following:
+
+.. code-block:: javascript
+   .. copyable: false
+
+   {
+      "atype" : "dropCollection",
+      "ts" : { "$date" : "2021-08-09T13:45:00.661+00:00" },
+      "uuid" : { "$binary" : "0gle4/pSQli+LUcz43ykag==", "$type" : "04" },
+      "local" : { "ip" : "127.0.0.1", "port" : 27502 },
+      "remote" : { "ip" : "127.0.0.1", "port" : 51928 },
+      "users" : [],
+      "roles" : [],
+      "param" : { "ns" : "sales.inventory" },
+      "result" : 0
+   }
+
+Learn More 
+----------
+
+- :ref:`auditing`
+- :ref:`audit-action-details-results`
+- :ref:`cluster-parameters`
+- :ref:`configure-audit-filters-at-runtime`
+- :ref:`audit-message`