Auditing User Administration Operations with Hue and Cloudera Navigator

Auditing User Administration Operations with Hue and Cloudera Navigator

With the latest release of Hue 3.9, we’ve added an additional layer of monitoring for Hue administrators.

Hue user administration operations can now be audited and written to a configurable audit log. Administrators can then use Cloudera Navigator’s Auditing Component to view, search, filter, and generate reports on these audited events.

Navigator blog post diagram

Tracking and audit events like the logins in Hue

 

Hue admins can thus easily monitor superuser operations such as adding/editing users and groups, editing permissions, and user logins/logouts. Most importantly, admins can easily detect when unauthorized attempts at these operations have been made, and capture the related metadata for those unauthorized attempts.

To enable and configure the log file used for the audit log, there are 2 new configuration properties that have been added to the hue.ini file, and can be overridden in Cloudera Manager’s Service Access Audit Log Properties controls.

[desktop]
# The directory where to store the auditing logs. Auditing is disable if the value is empty.
# e.g. /var/log/hue/audit.log
audit_event_log_dir=/Users/jennykim/Dev/hue/logs/audit.log

# Size in KB/MB/GB for audit log to rollover.
audit_log_max_file_size=100MB

After configuring the audit log and restarting Hue, you can then start viewing the audited operations by tailing the log:

$ tail logs/audit.log

{"username": "admin", "impersonator": "hue", "eventTime": 1447271632364, "operationText": "Successful login for user: admin", "service": "accounts", "url": "/accounts/login/", "allowed": true, "operation": "USER_LOGIN", "ipAddress": "127.0.0.1"}
{"username": "admin", "impersonator": "hue", "eventTime": 1447271704937, "operationText": "Created Group: admins, with member(s): jennykim, admin, hue", "service": "useradmin", "url": "/useradmin/groups/new", "allowed": true, "operation": "CREATE_GROUP", "ipAddress": "127.0.0.1"}
{"username": "admin", "impersonator": "hue", "eventTime": 1447271778278, "operationText": "Created Group: readonly, with member(s): ", "service": "useradmin", "url": "/useradmin/groups/new", "allowed": true, "operation": "CREATE_GROUP", "ipAddress": "127.0.0.1"}
{"username": "admin", "impersonator": "hue", "eventTime": 1447271788277, "operationText": "Successfully edited permissions: useradmin/access", "service": "useradmin", "url": "/useradmin/permissions/edit/useradmin/access", "allowed": true, "operation": "EDIT_PERMISSION", "ipAddress": "127.0.0.1"}

Each audited record contains fields for:

  • username of the user executing the action
  • impersonator user (always “hue” in this case)
  • eventTime in milliseconds since epoch
  • allowed, true if operation was authorized, false otherwise
  • operation (e.g. – USER_LOGIN, CREATE_USER, CREATE_GROUP, EDIT_PERMISSION, etc.)
  • operationText, descriptive text of the operation
  • service
  • url
  • ipAddress of client

Currently, Hue audits the following authentication and useradmin actions:

  • USER_LOGIN, USER_LOGOUT
  • CREATE_USER, DELETE_USER, EDIT_USER
  • CREATE_GROUP, DELETE_GROUP, EDIT_GROUP
  • ADD_LDAP_USERS, ADD_LDAP_GROUPS, SYNC_LDAP_USERS_GROUPS
  • EDIT_PERMISSION

If you are running Hue with Cloudera Enterprise, you can then view and manage the audit report from Cloudera Navigator and filter on the Service Name for Hue, in this case “HUE-1”:

Navigator Audits

Navigator Audits

 

You can expand any audit record to view the metadata for a given operation, including whether it was allowed/authorized, the impersonated user and additional details specific to the operation.

Navigator Audit Details

Navigator Audit Details

 

Hue + Navigator provide rich data discovery, audit and policy enforcement features and Hue is evolving in a more enterprise compliance friendly product. If you have any questions, feel free to comment here or on the hue-user list or @gethue!

13 Comments

  1. Suresh K 2 years ago

    I have synced the Active directory with in the HUE
    though i choose the option to “not create home directories” upon user login
    Its creating user directories in my hdfs-file-system
    I don’t want that behavior
    Could you please provide me a solution for that?

  2. Suresh K 2 years ago

    Hi,
    yes its the same property
    This is my current configuration file, where i changed this property create_users_on_login=false in prod.xxxx.xxx
    and also sync ldap users as suggested using hue.

    [desktop]
    ldap_username=hue
    ldap_password=xxxxx
    force_username_lowercase=true
    [[ldap]]
    [[[ldap_servers]]]
    [[[[xxxxxxxx]]]]
    ldap_url=ldap://prod.xxxx.net
    search_bind_authentication=false
    nt_domain=prod.travp.net
    create_users_on_login=false
    base_dn=”DC=xxx,DC=xxxx,DC=net”
    bind_dn=”hbind”
    bind_password=”xxxxxx”
    [[[[admin.xxxx.xxx]]]]
    ldap_url=ldap://xxxxx.xxxxx.net
    search_bind_authentication=false
    nt_domain=xxxxx.xxxxx.net
    create_users_on_login=true
    base_dn=”DC=xxxx,DC=xxxxx,DC=net”
    bind_dn=”hbind”
    bind_password=”xxxxxx”

    when ever a user logs into hue interface
    a directory is being created in hadoop file system
    Its creating a lot of dummy directories, which we actually don’t need

  3. Suresh K 2 years ago

    Though i uncheck the option “create home directory”
    Its creating user directories in hadoop-file-system
    I feel there is a bug, correct me if am wrong

    • Hue Team 2 years ago

      The create home directory box only has effects on this page.

      Which backend are you using? I think it will create the HDFS home of the user automatically (as a user can’t submit jobs by default without a home)

  4. suresh 1 year ago

    I dont want HUE to create HDFS user directories on user’s login, we want users to follow our predefined shell scripts to create hdfs user directories.
    Is there a good way to disable the auto-creation of user directories?

  5. suresh 1 year ago

    Hue Team,
    I am awaiting for your reply
    Am using Cloudera hadoop as the back-end

  6. bharath 11 months ago

    what are the alternatives , if we are not using cloudera navigator

    • Author
      Hue Team 11 months ago

      Currently only Navigator API is supported

      • Aerin 1 week ago

        Hey, dear Hue Team, I have the same question. I want to enable Hue Audit log, but I don’t want to use Cloudera Navigator. I saw your reply was 11 months ago, just want to know if there is any updates. Can we enable hue audit log without navigator now?

        Thanks.

        • Author
          Hue Team 1 week ago

          Feel free to enable it, Hue will produce an audit.log file, but Navigator will just not pick it up as it won’t exist.

  7. Aerin 1 week ago

    Hi, dear Hue Team, thank you for your fast answer. So do you mean with Hue 3.9.0, we can enable the audit logging without Nav? We have Cloudera Manager(5.11.1) installed, the Hue version is 3.9.0. When I tried to change it through Cloudera Manager->Hue->Configuration, ‘audit_event_log_dir’, it generated a folder and I have no access. So I am wondering if I should do this in the latest version (Hue 3.12 or Hue 4) . Thanks again:)!

    • Author
      Hue Team 5 days ago

      Are you trying to fix/create the ‘audit_event_log_dir’ so that Hue can write the logs there?

Leave a reply

Your email address will not be published. Required fields are marked *

*