The Sentry audit log is responsible for logging the authorization metadata change, the following operations will be logged:
create role, drop role, add role to group, delete role from group, grant privilege, revoke privilege.
Configuration
The audit log can be configured in the log4j.properties:
Audit log for Hive Model:
log4j.logger.sentry.hive.authorization.ddl.logger=INFO, sentryHiveAudit
log4j.appender.sentryHiveAudit=org.apache.sentry.provider.db.log.appender.RollingFileWithoutDeleteAppender # set the appender class
log4j.appender.sentryHiveAudit.File=/var/log/sentry/sentryHiveAudit.log # set the log file location
log4j.appender.sentryHiveAudit.MaxFileSize=5MB # set the max size for the log file
log4j.appender.sentryHiveAudit.layout= org.apache.log4j.PatternLayout # set the layout class
log4j.appender.sentryHiveAudit.layout.ConversionPattern=%m%n # set the message format
Audit log for generic model:
log4j.logger.sentry.generic.authorization.ddl.logger=INFO, sentryGenericAudit
log4j.appender.sentryGenericAudit.File=/var/log/sentry/sentryGenericAudit.log # set the log file location
log4j.appender.sentryGenericAudit.MaxFileSize=5MB # set the max size for the log file
log4j.appender.sentryGenericAudit.layout= org.apache.log4j.PatternLayout # set the layout class
log4j.appender.sentryGenericAudit.layout.ConversionPattern=%m%n # set the message format
Format
The audit log is generated with log4j and in json format, the following are the examples for Hive model and Generic model:
Audit log for Hive model:
Create role:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "CREATE_ROLE",
"eventTime" : 1405027518637,
"operationText" : "CREATE ROLE testRole",
"allowed" : "true",
"objectType" : "ROLE",
"databaseName" : "",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Drop role:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "DROP_ROLE",
"eventTime" : 1405027518637,
"operationText" : "DROP ROLE testRole",
"allowed" : "true",
"objectType" : "ROLE",
"databaseName" : "",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Add role to group:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "ADD_ROLE_TO_GROUP",
"eventTime" : 1405027518637,
"operationText" : "GRANT ROLE testRole TO GROUP testGroup",
"allowed" : "true",
"objectType" : "ROLE",
"databaseName" : "",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Delete role from group:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "DELETE_ROLE_FROM_GROUP",
"eventTime" : 1405027518637,
"operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",
"allowed" : "true",
"objectType" : "ROLE",
"databaseName" : "",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Grant privilege:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "GRANT_PRIVILEGE",
"eventTime" : 1405027518637,
"operationText" : "GRANT ALL ON DATABASE testDB TO ROLE testRole",
"allowed" : "true",
"objectType" : "PRINCIPLE",
"databaseName" : "testDB",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Revoke privilege:
{
"serviceName" : "hiverServer1",
"userName" : "hive",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "REVOKE_PRIVILEGE",
"eventTime" : 1405027518637,
"operationText" : "REVOKE ALL ON DATABASE testDB FROM ROLE testRole",
"allowed" : "true",
"objectType" : "PRINCIPLE",
"databaseName" : "testDB",
"tableName" : "",
"columnName" : "",
"resourcePath" : ""
}
Audit log for generic model:
Create role:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "CREATE_ROLE",
"eventTime" : 1405027518637,
"operationText" : "CREATE ROLE testRole",
"allowed" : "true",
"objectType" : "ROLE",
"component" : ""
}
Drop role:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "DROP_ROLE",
"eventTime" : 1405027518637,
"operationText" : "DROP ROLE testRole",
"allowed" : "true",
"objectType" : "ROLE",
"component" : "
}
Add role to group:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "ADD_ROLE_TO_GROUP",
"eventTime" : 1405027518637,
"operationText" : "GRANT ROLE testRole TO GROUP testGroup",
"allowed" : "true",
"objectType" : "ROLE",
"component" : ""
}
Delete role from group:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "DELETE_ROLE_FROM_GROUP",
"eventTime" : 1405027518637,
"operationText" : "REVOKE ROLE testRole FROM GROUP testGroup",
"allowed" : "true",
"objectType" : "ROLE",
"component" : ""
}
Grant privilege:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "GRANT_PRIVILEGE",
"eventTime" : 1405027518637,
"operationText" : "GRANT UPDATE ON collection testCol TO ROLE testRole",
"allowed" : "true",
"objectType" : "PRINCIPLE",
"collection" : "testCol ",
"component" : "solr"
}
Revoke privilege:
{
"serviceName" : "sentryService",
"userName" : "user1",
"impersonator" : "impersonator",
"ipAddress" : "127.0.0.1",
"operation" : "REVOKE_PRIVILEGE",
"eventTime" : 1405027518637,
"operationText" : "REVOKE UPDATE ON collection testCol FROM ROLE testRole",
"allowed" : "true",
"objectType" : "PRINCIPLE",
"collection" : "testCol ",
"component" : "solr"
}