The Sentry audit log is responsible for logging the authorization metadata change, the following operations will be logged:
create role, drop role, add role to group, delete role from group, grant privilege to role, revoke privilege from role.
Format
The audit log is generated with log4j and in json format, the following are the examples for Hive model and Generic model:
Audit log for Hive model:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "GRANT_ROLE",
"eventTime" : 1405027518637,
"operationText" : "GRANT ROLE admin_role TO GROUP admin_group",
"allowed" : "true",
"objectType" : "ROLE",
"databaseName" : "",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Audit log for generic model:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "GRANT_PRIVILEGE",
"eventTime" : 1405027518637,
"operationText" : "GRANT ALL ON collection col TO ROLE role1",
"allowed" : "true",
"objectType" : "PRICIPLE",
"component" : "SOLR",
"collection" : "col "
}
Configuration
The audit log can be configured in the log4j.properties:
Audit log for Hive Model:
log4j.logger.sentry.hive.authorization.ddl.logger=INFO, sentryHiveAudit
log4j.appender.sentryHiveAudit=org.apache.sentry.provider.db.log.appender.RollingFileWithoutDeleteAppender # set the appender class
log4j.appender.sentryHiveAudit.File=/var/log/sentry/sentryHiveAudit.log # set the log file location
log4j.appender.sentryHiveAudit.MaxFileSize=5MB # set the max size for the log file
log4j.appender.sentryHiveAudit.layout= org.apache.log4j.PatternLayout # set the layout class
log4j.appender.sentryHiveAudit.layout.ConversionPattern=%m%n # set the message format
Audit log for generic model:
log4j.logger.sentry.generic.authorization.ddl.logger=INFO, sentryGenericAudit
log4j.appender.sentryGenericAudit.File=/var/log/sentry/sentryGenericAudit.log # set the log file location
log4j.appender.sentryGenericAudit.MaxFileSize=5MB # set the max size for the log file
log4j.appender.sentryGenericAudit.layout= org.apache.log4j.PatternLayout # set the layout class
log4j.appender.sentryGenericAudit.layout.ConversionPattern=%m%n # set the message format