How do I enable HBase audit logs to monitor who modifies my HBase table data?
Aim:
This article discusses how to enable HBase audit logs. This will help you to track who made changes to the HBase table data.
Solution:
Please follow the below steps:
[1] Add the following to 'hbase-site.xml' file in all HBase regionserver nodes.
[1] Add the following to 'hbase-site.xml' file in all HBase regionserver nodes.
File Location (Specific to MapR clusters): /opt/mapr/hbase/hbase-<version>/conf/
<property> <name>hbase.security.authorization</name> <value>true</value> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value> </property>
[2] Uncomment/Add the following to 'log4j.properties ' file in all HBase regionserver nodes.
File Location (Specific to MapR clusters): /opt/mapr/hbase/hbase-<version>/conf/
log4j.logger.SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController=TRACE
[3] Restart HBase regionserver service.
You will see the details inside 'SecurityAuth.audit' file.
Default location of 'SecurityAuth.audit' file (Specific to MapR clusters): /opt/mapr/hbase/hbase-<version>/logs/
You will see the details inside 'SecurityAuth.audit' file.
Default location of 'SecurityAuth.audit' file (Specific to MapR clusters): /opt/mapr/hbase/hbase-<version>/logs/
Example TRACE for 'mapr' user inserting data to table 'tb':
2018-02-26 14:18:17,220 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user mapr; reason: Table permission granted; remote address: ; request: put; context: (user=mapr, scope=default:tb, family=cf:v, params=[table=default:tb,family=cf:v],action=WRITE)