Skip to end of metadata
Go to start of metadata

The Sentry audit log is responsible for logging the authorization metadata change, the following operations will be logged:

create role, drop role, add role to group, delete role from group, grant privilege, revoke privilege.

Configuration

The audit log can be configured in the log4j.properties:

Audit log for Hive Model:

  log4j.logger.sentry.hive.authorization.ddl.logger=INFO, sentryHiveAudit

  log4j.appender.sentryHiveAudit=org.apache.sentry.provider.db.log.appender.RollingFileWithoutDeleteAppender   # set the appender class

  log4j.appender.sentryHiveAudit.File=/var/log/sentry/sentryHiveAudit.log          # set the log file location

  log4j.appender.sentryHiveAudit.MaxFileSize=5MB                                           # set the max size for the log file

  log4j.appender.sentryHiveAudit.layout= org.apache.log4j.PatternLayout         # set the layout class

  log4j.appender.sentryHiveAudit.layout.ConversionPattern=%m%n                  # set the message format

Audit log for generic model:

  log4j.logger.sentry.generic.authorization.ddl.logger=INFO, sentryGenericAudit

  log4j.appender.sentryGenericAudit.File=/var/log/sentry/sentryGenericAudit.log    # set the log file location

  log4j.appender.sentryGenericAudit.MaxFileSize=5MB                                           # set the max size for the log file

  log4j.appender.sentryGenericAudit.layout= org.apache.log4j.PatternLayout         # set the layout class

  log4j.appender.sentryGenericAudit.layout.ConversionPattern=%m%n                  # set the message format

Format

The audit log is generated with log4j and in json format, the following are the examples for Hive model and Generic model:

Audit log for Hive model:

Create role:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "CREATE_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "CREATE ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Drop role:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DROP_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "DROP ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Add role to group:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "ADD_ROLE_TO_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT ROLE testRole TO GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Delete role from group:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DELETE_ROLE_FROM_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "databaseName" : "",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Grant privilege:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "GRANT_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT ALL ON DATABASE testDB TO ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "databaseName" : "testDB",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Revoke privilege:

 {

 "serviceName" : "hiverServer1",

  "userName" : "hive",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "REVOKE_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE ALL ON DATABASE testDB FROM ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "databaseName" : "testDB",

  "tableName" : "",

  "columnName" : "",

  "resourcePath" : ""

  }

Audit log for generic model:

Create role:

{

  "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "CREATE_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "CREATE ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : ""

  }

Drop role:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DROP_ROLE",

  "eventTime" : 1405027518637,

  "operationText" : "DROP ROLE testRole",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : "

  }

Add role to group:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "ADD_ROLE_TO_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT ROLE testRole TO GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : ""

  }

Delete role from group:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "DELETE_ROLE_FROM_GROUP",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",

  "allowed" : "true",

  "objectType" : "ROLE",

  "component" : ""

  }

Grant privilege:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "GRANT_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "GRANT UPDATE ON collection testCol TO ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "collection" : "testCol ",

  "component" : "solr"

  }

Revoke privilege:

 {

 "serviceName" : "sentryService",

  "userName" : "user1",

  "impersonator" : "impersonator",

  "ipAddress" : "127.0.0.1",

  "operation" : "REVOKE_PRIVILEGE",

  "eventTime" : 1405027518637,

  "operationText" : "REVOKE UPDATE ON collection testCol FROM ROLE testRole",

  "allowed" : "true",

  "objectType" : "PRINCIPLE",

  "collection" : "testCol ",

  "component" : "solr"

  }

 

  • No labels