Stefan Podkowinski commented on CASSANDRA-12151:

[~vinaykumarcse] wrote:

bq. Seems like a complicated configuration, would like to understand the use 
cases more here and see if anyone else needs this functionality. All the 
usecases that I see here are Auditing at the cluster or no auditing, but not 
specific to user. I would love to hear if there are any other users with this 

Usually you'll see two kind of users on production systems: privileged users 
and application users. Auditing privileged users (admins or developers) will 
almost always make sense, in order to be able to detect unauthorized access and 
data manipulation. There's only a limited amount of statements to log, as these 
will be executed manually. It also shouldn't matter which keyspaces or tables 
are access by the users; he is either monitored or not.

However, auditing queries of application users has a very limited security and 
data privacy benefit, but adds a great deal of load to the database. Those 
queries will be automatically generated by the application and there will be no 
way to tell if the query or statement was authorized, as you don't know on 
behalf of whom it was executed. Any auditing functionality for these operations 
must therefor take place at application level. Eg. a help desk tool, which is 
used by a support employee to access personal data of a customer in Cassandra, 
must keep an activity log for that directly. It doesn't make sense to log 
queries for the generic help desk tool Cassandra user on the database side. 
Therefor we need a way to enable CQL query auditing on user level.

> Audit logging for database activity
> -----------------------------------
>                 Key: CASSANDRA-12151
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12151
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: stefan setyadi
>            Assignee: Vinay Chella
>            Priority: Major
>             Fix For: 4.x
>         Attachments: 12151.txt, 
> DesignProposal_AuditingFeature_ApacheCassandra_v1.docx
> we would like a way to enable cassandra to log database activity being done 
> on our server.
> It should show username, remote address, timestamp, action type, keyspace, 
> column family, and the query statement.
> it should also be able to log connection attempt and changes to the 
> user/roles.
> I was thinking of making a new keyspace and insert an entry for every 
> activity that occurs.
> Then It would be possible to query for specific activity or a query targeting 
> a specific keyspace and column family.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to