Enabling auditing of cluster-administration operations requires running a single command.

Enabling auditing of filesystem and table operations requires running a command on a cluster, a command on individual volumes in the cluster, and a command on individual directories, files, and MapR-DB tables within those volumes.

These steps are summarized in the following table: 

 

 

 

Steps to enable auditing

Enable auditing of cluster administration

Enable data auditing on the cluster

Enable auditing of individual volumes

Enable auditing of individual directories, files, and MapR-DB tables

Auditing of cluster administration

Not applicable

Not applicable

Not applicable

Auditing of directories, files, and MapR-DB tables

Not applicable

Prerequisites for enabling auditing

  • If you upgraded your MapR cluster from version 4.1 or earlier, you must enable the auditing feature. Run this command:
    maprcli config save -values {"mfs.feature.audit.support":"1"}

    To verify that the feature is enabled, run this command:
    maprcli config load -json | grep "mfs.feature.audit.support"
  • Only the root user or the mapr user can enable or disable auditing.

Procedures

To enable or disable auditing of cluster-management operations on a MapR cluster, run the maprcli audit cluster command.

To enable or disable auditing of data-access operations:

  1. To enable or disable auditing of filesystem and table operations on a cluster, run the maprcli audit data command.

    This command does not cause auditing to start for operations within those volumes. It only sets a flag that says you allow auditing of individual volumes to be enabled with the maprcli volume audit command. Both the audit logs for file operations and the audit logs for table operations are affected by the value that you set for the  -retention parameter.
     
  2. To enable or disable auditing for a particular volume, run the maprcli volume audit command.

    To verify that auditing is enabled for a volume, run the maprcli volume info command. You can grep with the search term ‘audited\|coalesce’.

    maprcli volume info -name <volume_name> -json | grep -i ‘audited\|coalesce’

    The output of the command should look like this, with a 1 for the audited key and the value for the coalesceinterval key:

    “audited”:1,
    “coalesceInterval”:2
     
  3. To enable or disable auditing for a particular directory, file, or MapR-DB table that existed in a volume at the time that you ran the maprcli volume audit command, run the hadoop mfs command with the -setaudit parameter.

    hadoop mfs -setaudit <on|off> <directory|file|table>

    Wildcards are not supported for the names of filesystem objects in this command.


    Enabling auditing on a directory does not enable auditing on the files that already exist in the directory, though new files and directories created in the directory will have auditing enabled. For example, if you run this command on the root directory of a volume, all new files, directories, and tables that are subsequently created in the volume are audited. The creation of those objects is also audited.

After enabling auditing

If you create a snapshot of a volume, the snapshot inherits the audit settings of the original volume.

If you create a local mirror or remote mirror of a volume, you must run the maprcli volume audit command to enable auditing on the mirror volume. Auditing for particular directories, files, and MapR-DB tables in a mirror volume is enabled automatically if auditing is enabled for them in the source volume. 

Attachments: