[
https://issues.apache.org/jira/browse/HIVE-13113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Shelukhin updated HIVE-13113:
------------------------------------
Description:
We need a separate audit log similar to HDFS audit log, where table/etc.
accesses can be logged (on, and separate, by default). It is especially
important with SQL standard auth, since the default model for that is
doAs=false, and the lack of impersonation makes HDFS audit logs relatively
useless. There's some audit logging in metastore, but it goes into the main log
and I don't think anyone ensured it is sufficient and consistently applied even
within the scope of metastore itself; there's also a question of whether
accesses at the task level should be audited, and how (should HS2 audit-log
each task x input combo, since tasks cannot log to a permanent location?).
was:
We need a separate audit log similar to HDFS audit log, where table/etc.
accesses can be logged (on, and separate, by default). It is especially
important with SQL standard auth, since the default model for that is
doAs=false, and the lack of impersonation makes HDFS audit logs relatively
useless. There's some audit logging in metastore, but it goes into the main log
and I don't think anyone ensured it is sufficient and consistently applied even
within the scope of metastore itself; there's also a question of whether
accesses at the task level can be audited, and how (should HS2 audit-log each
task x input combo, since tasks cannot log to a permanent location?).
> add audit log to HS2, especially for SQL auth
> ---------------------------------------------
>
> Key: HIVE-13113
> URL: https://issues.apache.org/jira/browse/HIVE-13113
> Project: Hive
> Issue Type: New Feature
> Reporter: Sergey Shelukhin
>
> We need a separate audit log similar to HDFS audit log, where table/etc.
> accesses can be logged (on, and separate, by default). It is especially
> important with SQL standard auth, since the default model for that is
> doAs=false, and the lack of impersonation makes HDFS audit logs relatively
> useless. There's some audit logging in metastore, but it goes into the main
> log and I don't think anyone ensured it is sufficient and consistently
> applied even within the scope of metastore itself; there's also a question of
> whether accesses at the task level should be audited, and how (should HS2
> audit-log each task x input combo, since tasks cannot log to a permanent
> location?).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
