Page History

...

create role, drop role, add role to group, delete role from group, grant privilege to role, revoke privilege from role., revoke privilege.

Configuration

The audit log can be configured in the log4j.properties:

Audit log for Hive Model:

log4j.logger.sentry.hive.authorization.ddl.logger=INFO, sentryHiveAudit

log4j.appender.sentryHiveAudit=org.apache.sentry.provider.db.log.appender.RollingFileWithoutDeleteAppender # set the appender class

log4j.appender.sentryHiveAudit.File=/var/log/sentry/sentryHiveAudit.log # set the log file location

log4j.appender.sentryHiveAudit.MaxFileSize=5MB # set the max size for the log file

log4j.appender.sentryHiveAudit.layout= org.apache.log4j.PatternLayout # set the layout class

log4j.appender.sentryHiveAudit.layout.ConversionPattern=%m%n # set the message format

Audit log for generic model:

log4j.logger.sentry.generic.authorization.ddl.logger=INFO, sentryGenericAudit

log4j.appender.sentryGenericAudit.File=/var/log/sentry/sentryGenericAudit.log # set the log file location

log4j.appender.sentryGenericAudit.MaxFileSize=5MB # set the max size for the log file

log4j.appender.sentryGenericAudit.layout= org.apache.log4j.PatternLayout # set the layout class

log4j.appender.sentryGenericAudit.layout.ConversionPattern=%m%n # set the message format

Format

The audit log is generated with log4j and in json format, the following are the examples for Hive model and Generic model:

Audit log for Hive model:

Create role:

{

"serviceName" : "hiverServer1",

...

"ipAddress" : "127.0.0.1",

"operation" : "GRANTCREATE_ROLE",

"eventTime" : 1405027518637,

"operationText" : "CREATE ROLE testRole",

"allowed" : "true",

"objectType" : "ROLE",

"databaseName" : "",

"tableName" : "",

"columnName" : "",

"resourcePath" : ""

}

Drop role:

{

"serviceName" : "hiverServer1",

"userName" : "hive",

"impersonator" : "impersonator",

"ipAddress" : "127.0.0.1",

"operation" : "DROP_ROLE",

"eventTime" : 1405027518637,

"operationText" : "DROP ROLE testRole "GRANT ROLE admin_role TO GROUP admin_group",

"allowed" : "true",

"objectType" : "ROLE",

...

"columnName" : "",

"resourcePath" : ""

}Audit log for generic model

Add role to group:

{

"serviceName" : "sentryServicehiverServer1",

"userName" : "user1hive",

"impersonator" : "impersonator",

"ipAddress" : "127.0.0.1",

"operation" : "GRANT_PRIVILEGEADD_ROLE_TO_GROUP",

"eventTime" : 14050275186371405027518637,

"operationText" : "GRANT ALL ON collection col TO ROLE role1ROLE testRole TO GROUP testGroup",

"allowed" : "true",

"objectType" : "ROLE",

"databaseName" : "",

"tableName" : "PRICIPLE",

"componentcolumnName" : "SOLR",

"collectionresourcePath" : "col "

}

Configuration

The audit log can be configured in the log4j.properties:

Audit log for Hive Model:

log4j.logger.sentry.hive.authorization.ddl.logger=INFO, sentryHiveAudit

log4j.appender.sentryHiveAudit=org.apache.sentry.provider.db.log.appender.RollingFileWithoutDeleteAppender # set the appender class

log4j.appender.sentryHiveAudit.File=/var/log/sentry/sentryHiveAudit.log # set the log file location

log4j.appender.sentryHiveAudit.MaxFileSize=5MB # set the max size for the log file

log4j.appender.sentryHiveAudit.layout= org.apache.log4j.PatternLayout # set the layout class

log4j.appender.sentryHiveAudit.layout.ConversionPattern=%m%n # set the message format

Audit log for generic model:

log4j.logger.sentry.generic.authorization.ddl.logger=INFO, sentryGenericAudit

log4j.appender.sentryGenericAudit.File=/var/log/sentry/sentryGenericAudit.log # set the log file location

log4j.appender.sentryGenericAudit.MaxFileSize=5MB # set the max size for the log file

log4j.appender.sentryGenericAudit.layout= org.apache.log4j.PatternLayout # set the layout class

Delete role from group:

{

"serviceName" : "hiverServer1",

"userName" : "hive",

"impersonator" : "impersonator",

"ipAddress" : "127.0.0.1",

"operation" : "DELETE_ROLE_FROM_GROUP",

"eventTime" : 1405027518637,

"operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",

"allowed" : "true",

"objectType" : "ROLE",

"databaseName" : "",

"tableName" : "",

"columnName" : "",

"resourcePath" : ""

}

Grant privilege:

{

"serviceName" : "hiverServer1",

"userName" : "hive",

"impersonator" : "impersonator",

"ipAddress" : "127.0.0.1",

"operation" : "GRANT_PRIVILEGE",

"eventTime" : 1405027518637,

"operationText" : "GRANT ALL ON DATABASE testDB TO ROLE testRole",

"allowed" : "true",

"objectType" : "PRINCIPLE",

"databaseName" : "testDB",

"tableName" : "",

"columnName" : "",

"resourcePath" : ""

}

Revoke privilege:

{

"serviceName" : "hiverServer1",

"userName" : "hive",

"impersonator" : "impersonator",

{

"serviceName" : "sentryService",

"userName" : "user1",

"impersonator" : "impersonator",

"ipAddress" : "127.0.0.1",

"operation" : "GRANT_PRIVILEGE",

"eventTime" : 1405027518637,

"operationText" : "GRANT UPDATE ON collection testCol TO ROLE testRole",

"allowed" : "true",

"objectType" : "PRINCIPLE",

"collection" : "testCol ",

"component" : "solr"

}

Revoke privilege:

{

"serviceName" : "sentryService",

"userName" : "user1",

"impersonator" : "impersonator",

"ipAddress" : "127.0.0.1",

"operation" : "REVOKE_PRIVILEGE",

"eventTime" : 1405027518637,

"operationText" : "REVOKE UPDATE ON collection testCol FROM ROLE testRole",

"allowed" : "true",

"objectType" : "PRINCIPLE",

"collection" : "testCol ",

"component" : "solr"

} log4j.appender.sentryGenericAudit.layout.ConversionPattern=%m%n # set the message format

Child pages

Versions Compared

Old Version 1

New Version Current

Key

Configuration

Audit log for Hive Model:

Audit log for generic model:

Format

Audit log for Hive model:

Create role:

Drop role:

Add role to group:

Delete role from group:

Grant privilege:

Revoke privilege:

Audit log for generic model:

Create role:

Drop role:

Add role to group:

Delete role from group:

Grant privilege:

Revoke privilege: