Auditing with Sentry

ArcEngine uses Sentry’s audit logging feature to manage user access events on database objects.

Availability Note. This feature relates to Cloudera installations accessed through Arcadia Engine connections. See Arcadia Connections.

Auditing with Cloudera Sentry enables ArcEngine to log user access events on database objects. Sentry is the designated Cloudera Data Platform authorization provider.

Target Object Identification

ArcEngine generates audit logs based on the objects referenced directly in a user-supplied statement. Consider these examples:

  • If a user runs the following statement:

    SELECT max(i) FROM test_table;

    and it is re-written to use an analytical view:

    SELECT max_finalize(c1) FROM test_table_av;

    Then the audit log only shows access on the table test_table.

  • If the originating statement selects directly from the analytical view:

    SELECT max_finalize (c1) FROM test_table_av;

    Then the audit log shows access to test_table_av, because the statement references the analytical view in the original query that the user provides.

  • If a user performs operations directly on the analytical view:

    DROP ANALYTICAL VIEW test_table_av;

    Then the audit log shows that the DROP is against test_table_av, even though the authorization check is actually against test_table.

Enabling Auditing

To enabling Sentry audit logging, you must start each arcengined process using the option audit_event_log_dir:

-audit_event_log_dir=local_dir_location

ArcEngine logs 5,000 queries, as JSON objects, into each log file that it names using the timestamp of the first entry. After logging 5,000 entries, it creates a new log file. All files reside in the local_dir_location directory. This approach logs multiple entries for Compute Stats and Refresh Analytical Views events. The following example shows a sample event log for a Show Extended Analytical Views statement:

{  
   "1520914259398":{  
      "query_id":"6043a6a6ccb30531:c241364600000000",
      "session_id":"dd4d8f699bcf703f:9464da1a526591ac",
      "start_time":"2018-03-1304:10:59.391130000",
      "authorization_failure":false,
      "status":"",
      "user":"vagrant",
      "impersonator":null,
      "statement_type":"SHOW_ANALYTICAL_VIEWS",
      "network_address":"::1:36153",
      "sql_statement":"show extended analytical views",
      "catalog_objects":[  
         {  
            "name":"default",
            "object_type":"DATABASE",
            "privilege":"ANY"
         }
      ]
 }