How Does Auditing Work?

Explains how auditing works on data-fabric objects.

When you enable the auditing of a particular directory, file, table, or stream, you set the audit bit to "on" for that object. You can tell whether auditing is enabled for a directory, file, or table by checking the status of the object's audit bit.

For example, the volume as shown in the following tree diagram, consists of the root directory, the two directories dir1 and dir2, and two files in directory dir1. Every directory, file, table, and stream in a volume has an “audit bit” associated with it. You can tell whether, say, dir1 has its audit bit on and is therefore enabled for auditing by running the hadoop mfs -ls command. The output of the command might look like as follows:

drwxrwxrwx Z U U 3 root root 100 2015-05-20 21:09 192473738 /dir1

The second U indicates that auditing is not enabled on the directory.

However, an A in place of that U indicates that auditing is enabled on the directory:

drwxrwxrwx Z U A 3 root root 100 2015-05-20 23:41 192473738 /dir1

In the first diagram, as well as in the next two diagrams, U indicates that the audit bit is turned off for a filesystem object and A indicates that the audit bit is on for that object. After you run maprcli volume audit on the volume, none of the audit bits are on:

/              U
-/dir1          U
 -file1         U
 -file2         U
-/dir2          U

Suppose you enable auditing on the root directory by running this command:

hadoop mfs -setaudit on /

Then, you create the file file3 in dir2 and you create the directory dir3 and the file file4 in it. The tree diagram now looks as follows :

/           A
-/dir1          U
 -file1         U
 -file2         U
-/dir2          U
 -file3         U
-/dir3          A
 -file4         A

The audit bit is still U on dir1, and the files are in dir1, and dir2. The new file file3 in dir2 inherits the audit bit from dir2.

dir3 inherits the audit bit from the root folder, so the audit bit for dir3 is A. Moreover, file4 inherits the audit bit from dir3, so its audit bit is A, as well.

Next, you run the following command to enable auditing in dir1:

hadoop mfs -setaudit on /dir1

Then, you create the file file5. The new file inherits the audit bit from its parent folder, so it is enabled for auditing immediately after it is created. However, file1 and file2 still have the audit bit turned off.

/         A
-/dir1          A
 -file1         U
 -file2         U
 -file5         A
-/dir2          U
 -file3         U
-/dir3          A
 -file4         A

As file1 and file2 existed before you turned on the audit bit for their parent folder, you need to enable auditing for them as follows:

hadoop mfs -setaudit on /dir1/file1

hadoop mfs -setaudit on /dir1/file2