Monday 26 February 2018

How do I enable HBase audit logs to monitor who modifies my HBase table data?


Aim:

This article discusses how to enable HBase audit logs. This will help you to track who made changes to the HBase table data. 

Solution:

Please follow the below steps:

[1] Add the following to 'hbase-site.xml' file in all HBase regionserver nodes.
File Location (Specific to MapR clusters):  /opt/mapr/hbase/hbase-<version>/conf/

<property>
     <name>hbase.security.authorization</name>
     <value>true</value>
</property>
<property>
     <name>hbase.coprocessor.master.classes</name>
     <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
     <name>hbase.coprocessor.region.classes</name>
     <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>


[2] Uncomment/Add the following to  'log4j.properties ' file in all HBase regionserver nodes.
File Location (Specific to MapR clusters):  /opt/mapr/hbase/hbase-<version>/conf/

log4j.logger.SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController=TRACE

[3] Restart HBase regionserver service.

You will see the details inside 'SecurityAuth.audit' file.
Default location of 'SecurityAuth.audit' file (Specific to MapR clusters): /opt/mapr/hbase/hbase-<version>/logs/

Example TRACE for 'mapr' user inserting data to table 'tb':

2018-02-26 14:18:17,220 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user mapr; reason: Table permission granted; remote address: ; request: put; context: (user=mapr, scope=default:tb, family=cf:v, params=[table=default:tb,family=cf:v],action=WRITE)

Posted by at

1 comment:

Subscribe to: Post Comments (Atom)