Child pages
  • Sentry Audit Log
Skip to end of metadata
Go to start of metadata

The Sentry audit log is responsible for logging the authorization metadata change, the following operations will be logged:

create role, drop role, add role to group, delete role from group, grant privilege, revoke privilege.

Configuration

The audit log can be configured in the log4j.properties:

Audit log for Hive Model:

  log4j.logger.sentry.hive.authorization.ddl.logger=INFO, sentryHiveAudit

  log4j.appender.sentryHiveAudit=org.apache.sentry.provider.db.log.appender.RollingFileWithoutDeleteAppender   # set the appender class

  log4j.appender.sentryHiveAudit.File=/var/log/sentry/sentryHiveAudit.log          # set the log file location

  log4j.appender.sentryHiveAudit.MaxFileSize=5MB                                           # set the max size for the log file

  log4j.appender.sentryHiveAudit.layout= org.apache.log4j.PatternLayout         # set the layout class

  log4j.appender.sentryHiveAudit.layout.ConversionPattern=%m%n                  # set the message format

Audit log for generic model:

  log4j.logger.sentry.generic.authorization.ddl.logger=INFO, sentryGenericAudit

  log4j.appender.sentryGenericAudit.File=/var/log/sentry/sentryGenericAudit.log    # set the log file location

  log4j.appender.sentryGenericAudit.MaxFileSize=5MB                                           # set the max size for the log file

  log4j.appender.sentryGenericAudit.layout= org.apache.log4j.PatternLayout         # set the layout class

  log4j.appender.sentryGenericAudit.layout.ConversionPattern=%m%n                  # set the message format

Format

The audit log is generated with log4j and in json format, the following are the examples for Hive model and Generic model:

Audit log for Hive model:

Create role:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "CREATE_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "CREATE ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Drop role:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DROP_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "DROP ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Add role to group:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "ADD_ROLE_TO_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT ROLE testRole TO GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Delete role from group:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DELETE_ROLE_FROM_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Grant privilege:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "GRANT_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT ALL ON DATABASE testDB TO ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "databaseName" : "testDB",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Revoke privilege:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "REVOKE_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE ALL ON DATABASE testDB FROM ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "databaseName" : "testDB",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Audit log for generic model:

Create role:

{

  "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "CREATE_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "CREATE ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : ""

  }

Drop role:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DROP_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "DROP ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : "

  }

Add role to group:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "ADD_ROLE_TO_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT ROLE testRole TO GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : ""

  }

Delete role from group:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DELETE_ROLE_FROM_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : ""

  }

Grant privilege:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "GRANT_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT UPDATE ON collection testCol TO ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "collection" : "testCol ",

  "component" : "solr"

  }

Revoke privilege:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "REVOKE_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE UPDATE ON collection testCol FROM ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "collection" : "testCol ",

  "component" : "solr"

  }

 

  • No labels