This is the documentation for Cloudera Navigator 2.0.x.
Documentation for other versions is available at Cloudera Documentation.

Audit Events

Continue reading:

An audit event is an event that describes an action that has been taken for a service, role, or host.

In Cloudera Manager, audit event logs display:
  • Service, role, and host life cycle events recorded by Cloudera Management Service roles. For further information, see Audit Events in the Cloudera Manager Monitoring and Diagnostics Guide
  • Service access events recorded by the Cloudera Navigator Audit Server. Such audit events are described below.

Audit Event Properties

The following properties can appear in an audit event entry:

  • Date - Date and time the action was performed.
  • Command - The action performed.
  • Source - The object affected by the service action.
  • User - The name of the user that performed the action.
  • Impersonator - If the action was requested by another service, the name of the user that invoked the service action on behalf of the user.
    • The Impersonator field will always show when Sentry is not enabled.
    • The Impersonator field will show for other services than Hive when Sentry is enabled.
  • IP Address - The IP address of the host where the service action occurred.
  • Service - The name of the service that performed the service action.
  • Role - The name of the role that performed the service action.

Viewing Audit Events

You can view audit events for all services or for a specific service. To view audit events, follow the appropriate procedure:

Object Procedure
All Services
  1. Click Audits in the Cloudera Manager Admin Console top navigation bar.
Service
  1. In the Cloudera Manager Admin Console, click a service that supports auditing.
  2. Click the Audits tab on the service navigation bar.

Audit event entries are ordered with the most recent at the top.

Events that represent denied access are labeled Denied, red text, and a pink background.

Filtering Audit Events

You filter on generated audit events in the audit UI by selecting a time range and adding filters.

You can use the Time Range Selector or a duration link () to set the time range. (See Time Line in Cloudera Manager Monitoring and Diagnostics Guide for details). When you select the time range, the log displays all events in that range. Note that the time it takes to perform a search will typically increase for a longer time range, as the number of events to be searched will be larger.

Adding a Filter

  • Click the icon that displays next to a property when you hover in one of the event entries. A filter containing the property, operator, and its value is added to the list of filters at the left and Cloudera Manager redisplays all events that match the filter.
  • Click the Add a filter link. A filter control is added to the list of filters.
    1. Choose a property in the drop-down list. You can search by properties such as Username, Service, Command, or Role. The properties vary depending on the service or role.
    2. If the property allows it, choose an operator in the operator drop-down list.
    3. Type a property value in the value text field. For some properties, where the list of values is finite and known, you can start typing and then select from a list of potential matches. To match a substring, use the like operator and specify % around the string. For example, to see all the audit events for files created in the folder /user/joe/out specify Source like %/user/joe/out%.
    4. Click Search. The log displays all events that match the filter criteria.
    5. Click to add more filters and repeat steps 1 through 4.

Removing a Filter

  1. Click the at the right of the filter. The filter is removed.
  2. Click Search. The log displays all events that match the filter criteria.

Downloading Audit Events

You can download audit events in the Audit UI or using the Audit API. An audit event contains the following fields: service, username, command, ipAddress, resource, allowed, timestamp, operationText. The structure of the resource field depends on the type of the service:
  • HDFS - A file path.
  • Hive, Hue, Impala, and Sentry - database:tablename
  • HBase - table family:qualifier
For Hive, Hue, Impala, and Sentry events, operationText contains the operation string.

Downloading Audit Events Using the Audit UI

  1. Display the audit log.
  2. Specify desired filters and time range.
  3. Click the Download CSV button. A file named history.csv is downloaded.

HDFS Audit Log Example

service,username,command,ipAddress,resource,allowed,timestamp,operationText,
HDFS,cloudera,setPermission,20.10.187.242,/user/hive,false,"2014-02-09T00:59:34.430Z",
HDFS,cloudera,getfileinfo,20.10.187.242,/user/cloudera,true,"2014-02-09T00:59:22.667Z",
HDFS,cloudera,getfileinfo,20.10.187.242,/,true,"2014-02-09T00:59:22.658Z",

In this example, the first event access was denied, and therefore the allowed field has the value false.

Hive and Sentry Example - via downloaded CSV file

The following records list Hive operations to create and load a table and Sentry operations to created roles and grant privileges:
service,username,command,ipAddress,resource,allowed,timestamp,operationText
Hive,admin,LOAD,20.10.191.128,default:sample_08,true,"2014-07-08T20:21:03.510Z","LOAD DATA INPATH
      '/user/admin/sample_08' OVERWRITE INTO TABLE sample_08"
Hive,admin,LOAD,20.10.191.128,:,true,"2014-07-08T20:21:03.509Z","LOAD DATA INPATH
      '/user/admin/sample_08' OVERWRITE INTO TABLE sample_08"
Hive,admin,CREATETABLE,20.10.191.128,default:sample_08,true,"2014-07-08T20:21:01.899Z","CREATE TABLE `sample_08` (
  `code` string ,
  `description` string ,
  `total_emp` int ,
  `salary` int )
ROW FORMAT DELIMITED
  FIELDS TERMINATED BY '	'
STORED AS TextFile"
Hive,hive,GRANT_ROLE,20.10.191.128,:,true,"2014-07-08T20:19:26.718Z","GRANT ROLE default_admin TO GROUP sentryDefaultAdmin"
Hive,hive,GRANT_PRIVILEGE,20.10.191.128,default:,true,"2014-07-08T20:19:26.149Z","GRANT ALL ON DATABASE default TO ROLE default_admin"
Hive,hive,CREATEROLE,20.10.191.128,:,true,"2014-07-08T20:19:25.761Z","CREATE ROLE default_admin"
Hive,hive,GRANT_ROLE,20.10.191.128,:,true,"2014-07-08T20:19:20.515Z","GRANT ROLE global_admin TO GROUP sentryAdmin"
Hive,hive,GRANT_ROLE,20.10.191.128,:,true,"2014-07-08T20:19:20.063Z","GRANT ROLE global_admin TO GROUP hive"
Hive,hive,GRANT_PRIVILEGE,20.10.191.128,server1:,true,"2014-07-08T20:19:19.382Z","GRANT ALL ON SERVER server1 TO ROLE global_admin"
Hive,hive,CREATEROLE,20.10.191.128,:,true,"2014-07-08T20:19:18.281Z","CREATE ROLE global_admin"

Downloading Audit Events Using the Audit API

You can filter and download audit events using the Cloudera Manager audit API. See Audit API.

Hive and Sentry Example - via audit API

To download the same audits events using the API, issue the request http://host-1.ent.cloudera.com:7180/api/v6/audits?query=service==*HIVE*, which returns the following JSON items:
{
  "items" : [ {
    "timestamp" : "2014-07-08T20:21:03.510Z",
    "service" : "Hive",
    "username" : "admin",
    "ipAddress" : "20.10.191.128",
    "command" : "LOAD",
    "resource" : "default:sample_08",
    "operationText" : "LOAD DATA INPATH\n      '/user/admin/sample_08' OVERWRITE INTO TABLE sample_08",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:21:03.509Z",
    "service" : "Hive",
    "username" : "admin",
    "ipAddress" : "20.10.191.128",
    "command" : "LOAD",
    "resource" : ":",
    "operationText" : "LOAD DATA INPATH\n      '/user/admin/sample_08' OVERWRITE INTO TABLE sample_08",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:21:01.899Z",
    "service" : "Hive",
    "username" : "admin",
    "ipAddress" : "20.10.191.128",
    "command" : "CREATETABLE",
    "resource" : "default:sample_08",
    "operationText" : "CREATE TABLE `sample_08` (\n  `code` string ,\n  `description` string ,\n  `total_emp` int ,\n  `salary` int )\nROW FORMAT DELIMITED\n  FIELDS TERMINATED BY '\t'\nSTORED AS TextFile",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:26.718Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "GRANT_ROLE",
    "resource" : ":",
    "operationText" : "GRANT ROLE default_admin TO GROUP sentryDefaultAdmin",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:26.149Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "GRANT_PRIVILEGE",
    "resource" : "default:",
    "operationText" : "GRANT ALL ON DATABASE default TO ROLE default_admin",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:25.761Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "CREATEROLE",
    "resource" : ":",
    "operationText" : "CREATE ROLE default_admin",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:20.515Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "GRANT_ROLE",
    "resource" : ":",
    "operationText" : "GRANT ROLE global_admin TO GROUP sentryAdmin",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:20.063Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "GRANT_ROLE",
    "resource" : ":",
    "operationText" : "GRANT ROLE global_admin TO GROUP hive",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:19.382Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "GRANT_PRIVILEGE",
    "resource" : "server1:",
    "operationText" : "GRANT ALL ON SERVER server1 TO ROLE global_admin",
    "allowed" : true
  }, {
    "timestamp" : "2014-07-08T20:19:18.281Z",
    "service" : "Hive",
    "username" : "hive",
    "ipAddress" : "20.10.191.128",
    "command" : "CREATEROLE",
    "resource" : ":",
    "operationText" : "CREATE ROLE global_admin",
    "allowed" : true
  } ]
}