Service Audit Events
Service audit events are the events generated by a given service running on the cluster. Users with the appropriate permissions (Auditing Viewer, Full Administrator) can view audit events in the Cloudera Navigator console or by using the APIs. Audit events can include the fields listed in the tables below. The field names differ between the Navigator API and the events as they appear when streaming to Kafka or syslog.
The Cloudera Navigator console Audits includes events collected by Cloudera Manager: service lifecycle events (activate, create, delete, deploy, download, install, start, stop, update, upgrade, and so on) and user security-related events (add and delete user, login failed and succeeded). See Lifecycle and Security Auditing for more details on Cloudera Manager audit events.
Display Name | Field in API | Field in Streaming | Description |
---|---|---|---|
Additional Info | additional_info | additionalInfo | JSON text that contains more details about an operation performed on entities in Navigator Metadata Server. |
Allowed | allowed | allowed | Indicates whether the request to perform an operation failed or succeeded. A failure occurs if the user is not authorized to perform the action. |
Collection Name | collection_name | collectionName | The name of the affected Solr collection. |
Database Name | database_name | db
databaseName (Sentry) |
For Sentry, Hive, and Impala, the name of the database on which the operation was performed. |
Delegation Token ID | delegation_token_id | delegationTokenId | Delegation token identifier generated by HDFS NameNode that is then used by clients when submitting a job to JobTracker. |
Destination | dest | dst | Path of the final location of an HDFS file in a rename or move operation. |
Entity ID | entity_id | entityId | Identifier of a Navigator Metadata Server entity. The ID can be retrieved using the Navigator Metadata Server API. |
Event Time | timestamp | time | Date and time an action was performed. The Navigator Audit Server stores the timestamp in the timezone of the Navigator Audit Server. The Cloudera Navigator console displays the timestamp converted to the local timezone. Exported audit events contain the stored timestamp. |
Family | family | family | HBase column family. |
Impersonator | impersonator | impersonator | Name of user (service) that invokes an action on behalf of another user (service). Impersonator field always displays values when Sentry is not used with the cluster. For clusters that use Sentry, the Impersonator field displays values for all services other than Hive. |
IP Address | ipAddress | ip | The IP address of the host where an action occurred. |
Object Type | object_type | objType
objectType (Sentry) |
For Sentry, Hive, and Impala, the type of the object (TABLE, VIEW, DATABASE) on which operation was performed. |
Operation | command | op | Commands executed by component. See Operations by Component for details. For Cloudera Navigator operations, see Navigator Metadata Server Sub Operations. |
Operation Params | operation_params | operationParams | Solr query or update parameters used when performing the action. |
Operation Text | operation_text |
opText operationText (Sentry) |
For Sentry, Hive, and Impala, the SQL query that was executed by user. For Hue, the user or group that was added, edited, or deleted. |
Permissions | permissions | perms | HDFS permission of the file or directory on which the HDFS operation was performed. |
Privilege | privilege | privilege | Privilege needed to perform an Impala operation. |
Qualifier | qualifier | qualifier | HBase column qualifier. |
Query ID | query_id | — | The query ID for an Impala operation. (Internal use only) |
Resource | resource | — | A service-dependent combination of multiple fields generated during fetch. This field is not supported for filtering as it is not persisted. |
Resource Path | resource_path | path
resourcePath (Sentry) |
HDFS URL of Hive objects (TABLE, VIEW, DATABASE, and so on). Used for HDFS, Sentry. |
Service Name | service | service | The name of the service that performed the action. |
Session ID | session_id | — | Impala session ID. (Internal use only) |
Solr Version | solr_version | solrVersion | Solr version number. |
Source | src | src | Path of the HDFS file or directory present in an HDFS operation. |
Status | status | status | Status of an Impala operation providing more information on success or failure. |
Stored Object Name | stored_object_name | name | Name of a policy, saved search, or audit report in Navigator Metadata Server. |
Sub Operation | sub_operation | subOperation | Operations performed by Navigator Metadata Server are identified by subsystem (authorization, auditing, for example) and by sub-operation within that subsystem. See Navigator Metadata Server Sub Operations for details. |
Table Name | table_name | table
tableName (Sentry) |
For Sentry, HBase, Hive, and Impala, the name of the table on which action was performed. |
Url | url | Hue only. The URL for the Hue page or API that triggered the event. | |
Usage Type | objUsageType | Hive only. | |
Username | username | user | The name of the user that performed the action. |
Operations by Component
Component | Action taken |
---|---|
HBase |
addColumn, append, assign, balance, balanceSwitch, checkAndDelete, checkAndPut, compact, compactSelection, createTable, delete, deleteColumn, deleteTable, disableTable, enableTable, exists, flush, get, getClosestRowBefore, grant, increment, incrementColumnValue, modifyColumn, modifyTable, move, put, revoke, scannerOpen, shutdown, split, stopMaster, unassign |
HDFS | append, concat, create, createSymlink, delete, fsck, getfacl*, getfileinfo, listEncryptionZones, listSnapshottableDirectory, listStatus, mkdirs, open, rename, setfacl*, setOwner, setPermission, setReplication, setTimes |
HiveServer2 /Beeline | ALTER_PARTITION_MERGE, ALTER_TABLE_MERGE, ALTERDATABASE, ALTERINDEX_PROPS, ALTERINDEX_REBUILD, ALTERPARTITION_FILEFORMAT, ALTERPARTITION_LOCATION, ALTERPARTITION_PROTECTMODE, ALTERPARTITION_SERDEPROPERTIES, ALTERPARTITION_SERIALIZER, ALTERTABLE_ADDCOLS, ALTERTABLE_ADDPARTS, ALTERTABLE_ARCHIVE, ALTERTABLE_CLUSTER_SORT, ALTERTABLE_DROPPARTS, ALTERTABLE_FILEFORMAT, ALTERTABLE_LOCATION, ALTERTABLE_PROPERTIES, ALTERTABLE_PROTECTMODE, ALTERTABLE_RENAME, ALTERTABLE_RENAMECOL, ALTERTABLE_RENAMEPART, ALTERTABLE_REPLACECOLS, ALTERTABLE_SERDEPROPERTIES, ALTERTABLE_SERIALIZER, ALTERTABLE_TOUCH, ALTERTABLE_UNARCHIVE, ALTERVIEW_PROPERTIES, CREATEDATABASE, CREATEFUNCTION, CREATEINDEX, CREATEROLE, CREATETABLE_AS_SELECT, CREATETABLE, CREATEVIEW, DESCDATABASE, DESCFUNCTION, DESCTABLE, DROPDATABASE, DROPFUNCTION, DROPINDEX, DROPROLE, DROPTABLE, DROPVIEW, EXPLAIN, EXPORT, GRANT_PRIVILEGE, GRANT_ROLE, IMPORT, LOAD, LOCKTABLE, MSCK, QUERY, REVOKE_PRIVILEGE, REVOKE_ROLE, SHOW_GRANT, SHOW_ROLE_GRANT, SHOW_TABLESTATUS, SHOW_TBLPROPERTIES, SHOWDATABASES, SHOWFUNCTIONS, SHOWINDEXES, SHOWLOCKS, SHOWPARTITIONS, SHOWTABLES, SWITCHDATABASE, UNLOCKTABLE |
Hue | ADD_LDAP_GROUPS, ADD_LDAP_USERS, CREATE_GROUP, CREATE_USER, DELETE_GROUP, DELETE_USER, DOWNLOAD, EDIT_GROUP, EDIT_PERMISSION, EDIT_USER, EXPORT, NAVIGATOR_ADD_TAG, NAVIGATOR_DELETE_TAG, SYNC_LDAP_USERS_GROUPS, USER_LOGIN, USER_LOGOUT |
Impala |
CREATE ROLE, DELETE, DROP ROLE, GRANT privilege, GRANT ROLE, INSERT, Query, REVOKE privilege, REVOKE ROLE, SHOW GRANT ROLE, SHOW ROLE GRANT, UPDATE, Data Manipulation Language statements |
Sentry |
ADD_ROLE_TO_GROUP, CREATE_ROLE, DELETE_ROLE_FROM_GROUP, DROP_ROLE, GRANT_PRIVILEGE, REVOKE_PRIVILEGE |
Solr | add, commit, CREATE, CREATEALIAS, CREATESHARD, DELETE, DELETEALIAS, deleteById, deleteByQuery, DELETESHARD, finish, LIST, LOAD_ON_STARTUP, LOAD, MERGEINDEXES, PERSIST, PREPRECOVERY, query, RELOAD, RENAME, REQUESTAPPLYUPDATES, REQUESTRECOVERY, REQUESTSYNCSHARD, rollback, SPLIT, SPLITSHARD, STATUS, SWAP, SYNCSHARD, TRANSIENT, UNLOAD |
HDFS Audit Logging for ACL Operations
Command | Option | Audit Event |
---|---|---|
getfacl | — | getAclStatus |
setfacl | --b | removeAcl |
setfacl | --k | removeDefaultAcl |
setfacl | --m | modifyAclEntries |
setfacl | --x | removeAclEntries |
setfacl | --set | setAcl |
There is a difference in audit logging behavior based on how the ACL operations are run:
- Over FileSystem ACL APIs, all setfacl and getfacl operations produce audit log events.
- Over FsShell (that is, hadoop fs or hdfs dfs command lines):
- All setfacl operations produce audit log events.
- getfacl operations produce audit log events only if the file has ACLs set.
That is, setfacl operations always produce audit log events and getfacl operations always produce audit log events when ACLs are set.
Navigator Metadata Server Sub Operations
Operation | Sub Operation |
---|---|
auditReport | createAuditReport, deleteAuditReport, fetchAllReports, updateAuditReport |
authorization | deleteGroup, fetchGroup, fetchRoles, searchGroup, updateRoles |
metadata | fetchAllMetadata, fetchMetadata, updateMetadata |
policy | createPolicy, deletePolicy, deletePolicySchedule, fetchAllPolicies, fetchPolicySchedule, updatePolicy, updatePolicySchedule |
savedSearch | createSavedSearch, deleteSavedSearch, fetchAllSavedSearches, fetchSavedSearch, updateSavedSearch |
Categories: Auditing | Events | Navigator | All Categories