Audit Trail In Data Catalog and Scheduler¶
It is possible to maintain an audit trail of changes and actions performed both in Scheduler and Data Catalog. This way, we want to give an answer to this question: when and who did what on what element and which was the result?
These changes can be stored in a JSON file and/or in a database, depending on your configuration. In both cases, we are levering Log4j support, so enabling this feature involves logging configuration (as explained below).
To keep an audit trail of Virtual DataPort, use the logs generated by the Denodo Monitor.
Audit Information¶
The audit information contains the following fields:
startTime
: Start time of the requested action.endTime
: Finish time of the requested action.elapsedTime
: Duration (in milliseconds) of the action.sessionID
: Internal identifier for the user’s session.clientIP
: The IP of the client.userName
: Login name of the user executing the action.userAuthMethod
: Which authentication method used the user to log in: LOCAL, REMOTE, SSO, KERBEROS, NO_AUTHENTICATION and ACCESS_TOKEN.userBatchedMode
: (Only in Scheduler) Whether the user executing the action was in batched mode or not.userPermissions
: The permissions of the user executing the action.requestType
: Type of operation performed by the method:Scheduler considers request types like: CREATE, READ, UPDATE, DELETE, START, STOP, ENABLE, DISABLE, etc.
Data Catalog considers request types like: CREATE, READ, UPDATE, DELETE, SYNCHRONIZE, IMPORT, ASSIGN, CANCEL, etc.
elementTypes
: Element types used in the request:Scheduler considers element types like: Job, DataSource, Project, ServerInfo, etc.
Data Catalog considers element types like: DATABASE, VIEW, WEB_SERVICE, TAG, CATEGORY, PROPERTY, PROPERTY_GROUP, ASSOCIATION, FOLDER, etc.
affectedElements
: Information about the elements (identifier and name) that were affected by the execution of the audited method.endpoint
: The action performed.In Scheduler it contains the method signature with its name and parameters.
In Data Catalog it contains the path of the requested URI.
arguments
: Input arguments for the executed method.state
: Status of the action: OK, ERROR, WARNING.warnings
: (Only in Scheduler) The information about the elements that could not be executed in bulk methods. It only applies when state = WARNING.threadName
: Name of the thread that generated the logging event.threadId
: Identifier of the thread that generated the logging event.logLevel
: Log level the event was generated at.
How to Configure Audit in Scheduler¶
To enable auditing in Scheduler, you have to follow these steps:
Enable loggers in
<DENODO_HOME>/conf/scheduler/log4j2.xml
Configure appenders: you can define appenders (inside
<Appenders>
section) to a JSON file and/or to a database (you must configure at least one of them):Appender to JSON:
<RollingFile name="REQUESTOUT-JSON" fileName="<DENODO_HOME>/logs/scheduler/scheduler-requests.json" filePattern="<DENODO_HOME>/logs/scheduler/scheduler-requests.json.%i"> <JsonTemplateLayout eventTemplateUri="classpath:DenodoJsonLayout.json" stackTraceEnabled="false" charset="UTF-8" /> <SizeBasedTriggeringPolicy size="10 MB" /> <DefaultRolloverStrategy max="7" /> </RollingFile>
Replace
<DENODO_HOME>
properly.Appender to database:
<JDBC name="REQUESTOUT-DB" tableName="sched_audit_logs" ignoreExceptions="false"> <ConnectionFactory class="com.denodo.scheduler.core.server.quartz.connection.SchedulerPoolingConnectionProvider" method="getAuditDBConnection" /> <AuditDBLayout /> <ColumnMapping name="startTime" type="java.time.ZonedDateTime" /> <ColumnMapping name="endTime" type="java.time.ZonedDateTime" /> <ColumnMapping name="elapsedTime" type="java.lang.Long" /> <ColumnMapping name="sessionID" /> <ColumnMapping name="clientIP" /> <ColumnMapping name="userName" /> <ColumnMapping name="userAuthMethod" /> <ColumnMapping name="userBatchedMode" type="java.lang.Boolean" /> <ColumnMapping name="userPermissions" /> <ColumnMapping name="requestType" /> <ColumnMapping name="elementTypes" /> <ColumnMapping name="affectedElements" /> <ColumnMapping name="endpoint" /> <ColumnMapping name="arguments" type="java.sql.Clob" /> <ColumnMapping name="state" /> <ColumnMapping name="warnings" type="java.sql.Clob" /> <ColumnMapping name="threadName" /> <ColumnMapping name="threadId" type="java.lang.Long" /> <ColumnMapping name="logLevel" /> </JDBC>
Add logger (with appenders to file and/or database, depending on the previous step):
<Logger name="EventLogger" level="INFO" additivity="false"> <AppenderRef ref="REQUESTOUT-JSON" /> <AppenderRef ref="REQUESTOUT-DB" /> </Logger>
Depending on the log level:
INFO
: default level. It will mainly record actions that make changes to the metadata, such as creations, updates and deletions (for instance: create a job).DEBUG
: in addition to the information registered withINFO
, it will include getters (for instance: get jobs).TRACE
: in addition to the information registered withDEBUG
, it will include internal metadata calls and minor getters (for instance: get meta configuration for VDP jobs).Besides auditing more methods from the API, it also includes more information for each one, as explained in Audit Information
UserAuthenticationMethod
.UserBatchMode
.UserPermissions
.
Only when the appender to database is configured, you have to do these additional steps:
Configure the auditing database:
You can configure the target database where to store the audit information. Note that by default, the audit will use the same database as the metadata.
If you want to use a different database than the one used to store the Scheduler metadata (this is highly recommended), then you have to manually configure its settings in
<DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties
# Audit DataSource AuditDataSource/driverClassName=org.postgresql.Driver AuditDataSource/url=jdbc:postgresql://auditdb.denodo.com:5432/audit AuditDataSource/user=audit_user AuditDataSource/password.secret=audit_password AuditDataSource/databaseName=PostgreSQL AuditDataSource/useKerberos=false AuditDataSource/classpath=postgresql-12
Create the table (
sched_audit_logs
) to store the audit information in the audit database set up in the previous step: For this you can execute sql scripttables_audit_trail_<db>.sql
from<DENODO_HOME>/scripts/scheduler/sql/<db>
.
How to Configure Audit in Data Catalog¶
To enable auditing in Data Catalog, uncomment loggers in <DENODO_HOME>/conf/data-catalog/log4j2.xml
following these steps:
Configure appenders: You can uncomment or define appenders (inside
<Appenders>
section) to a JSON file and/or to a database. You must configure at least one of them:Appender to JSON:
<RollingFile name="REQUESTOUT-JSON" fileName="<DENODO_HOME>/logs/vdp-data-catalog/data-catalog-requests.json" filePattern="<DENODO_HOME>/logs/vdp-data-catalog/data-catalog-requests.json.%i"> <JsonTemplateLayout eventTemplateUri="classpath:DenodoJsonLayout.json" stackTraceEnabled="false" charset="UTF-8"/> <SizeBasedTriggeringPolicy size="10 MB"/> <DefaultRolloverStrategy max="7"/> </RollingFile>
Appender to database:
<JDBC name="REQUESTOUT-DB" tableName="data_catalog_audit_logs" ignoreExceptions="false"> <ConnectionFactory class="com.denodo.webapp.datacatalog.business.common.datasource.AuditConnectionProvider" method="getAuditDBConnection"/> <AuditDBLayout/> <ColumnMapping name="startTime" type="java.time.ZonedDateTime"/> <ColumnMapping name="endTime" type="java.time.ZonedDateTime"/> <ColumnMapping name="elapsedTime" type="java.lang.Long"/> <ColumnMapping name="sessionID"/> <ColumnMapping name="clientIP"/> <ColumnMapping name="userName"/> <ColumnMapping name="userAuthMethod"/> <ColumnMapping name="userPermissions"/> <ColumnMapping name="requestType"/> <ColumnMapping name="elementTypes"/> <ColumnMapping name="affectedElements"/> <ColumnMapping name="endpoint"/> <ColumnMapping name="arguments" type="java.sql.Clob"/> <ColumnMapping name="state"/> <ColumnMapping name="threadName"/> <ColumnMapping name="threadId" type="java.lang.Long"/> <ColumnMapping name="logLevel"/> </JDBC>
Uncomment logger (with appenders to file and/or database, depending on the previous step):
<Logger name="EventLogger" level="INFO" additivity="false"> <AppenderRef ref="REQUESTOUT-JSON" /> <AppenderRef ref="REQUESTOUT-DB" /> </Logger>
Depending on the log level:
INFO
: default level. It will record most of the HTTP requests that Data Catalog receives through its public API REST.DEBUG
: in addition to the information registered withINFO
, it will include those HTTP requests that are recurrently called, likenotification/user/unread
orPing
.Besides auditing more methods from the API, it also includes more information for each one, as explained in Audit Information.
UserAuthenticationMethod
.UserPermissions
.
Only when the appender to database is configured, you have to do these additional steps:
Configure the auditing database. You can specify the target database where to store the audit information configuring its settings in
<DENODO_HOME>/conf/data-catalog/audit-datasource.properties
# Audit DataSource # Supported types: derby, mysql, oracle, postgresql, sqlserver audit.datasource.type=postgresql audit.datasource.driver-class-name=org.postgresql.Driver audit.datasource.url=jdbc:postgresql://auditdb.denodo.com:5432/audit audit.datasource.user=audit_user audit.datasource.password.secret=audit_password audit.datasource.maxPoolSize=50 audit.datasource.minimumIdle=50 # Validation query. If using JTDS driver for SQL Server this field is mandatory audit.datasource.connectionTestQuery= audit.datasource.connectionTimeout=100000 audit.datasource.kerberos.use-kerberos= audit.datasource.kerberos.userName= audit.datasource.kerberos.password.secret= audit.datasource.kerberos.key-tab-file= audit.datasource.kerberos.credentials-cache-file=
Create the table (
data_catalog_audit_logs
) to store the audit information in the audit database set up in the previous step. For this you can execute sql scriptdata_catalog_tables_audit_trail_<db>.sql
from<DENODO_HOME>/scripts/data-catalog/sql/audit/<db>
.
Masking Sensitive Information¶
By default, when auditing events, sensitive or environment-dependent information will be masked.
It is possible to control which information should be masked with the following properties:
com.denodo.util.audit.config.AuditMaskingConfig.obfuscate.ip
: set tofalse
when you do not want to obfuscate the IP address of the users.com.denodo.util.audit.config.AuditMaskingConfig.obfuscate.user
: set tofalse
when you do not want to obfuscate the user names.com.denodo.util.audit.config.AuditMaskingConfig.obfuscate.auditMask
: set tofalse
when you do not want to obfuscate sensitive properties (mainly, environment dependent properties, such as server uris, host names, ports, etc).com.denodo.util.audit.config.AuditMaskingConfig.obfuscate
:true
will enable all obfuscation (no matter the values from the other properties).false
will disable all obfuscation (no matter the values from the other properties).If not set, the previous properties will control the obfuscation.
Note
Passwords and keytabs will always be masked, regardless of these properties.
To configure how the audit information should be masked, the properties have to be configured in:
In Scheduler
<DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties
.In Data Catalog
<DENODO_HOME>/conf/data-catalog/DataCatalogBackend.properties
.