ArcEngine uses Sentry’s audit logging feature to manage user access events on database objects.
Auditing with Cloudera Sentry enables ArcEngine to log user access events on database objects. Sentry is the designated Cloudera Data Platform authorization provider.
ArcEngine generates audit logs based on the objects referenced directly in a user-supplied statement. Consider these examples:
If a user runs the following statement:
SELECT max(i) FROM test_table;
and it is re-written to use an analytical view:
SELECT max_finalize(c1) FROM test_table_av;
Then the audit log only shows access on the table test_table
.
If the originating statement selects directly from the analytical view:
SELECT max_finalize (c1) FROM test_table_av;
Then the audit log shows access to test_table_av
, because the
statement references the analytical view in the original query that the user
provides.
If a user performs operations directly on the analytical view:
DROP ANALYTICAL VIEW test_table_av;
Then the audit log shows that the DROP
is against
test_table_av
, even though the authorization check is actually
against test_table
.
To enabling Sentry audit logging, you must start each arcengined
process
using the option audit_event_log_dir
:
-audit_event_log_dir=local_dir_location
ArcEngine logs 5,000 queries, as JSON objects, into each log file that it names using the
timestamp of the first entry. After logging 5,000 entries, it creates a new log file. All
files reside in the local_dir_location
directory. This approach logs
multiple entries for Compute Stats and Refresh Analytical Views events. The
following example shows a sample event log for a Show Extended Analytical Views
statement:
{
"1520914259398":{
"query_id":"6043a6a6ccb30531:c241364600000000",
"session_id":"dd4d8f699bcf703f:9464da1a526591ac",
"start_time":"2018-03-1304:10:59.391130000",
"authorization_failure":false,
"status":"",
"user":"vagrant",
"impersonator":null,
"statement_type":"SHOW_ANALYTICAL_VIEWS",
"network_address":"::1:36153",
"sql_statement":"show extended analytical views",
"catalog_objects":[
{
"name":"default",
"object_type":"DATABASE",
"privilege":"ANY"
}
]
}