[
https://issues.apache.org/jira/browse/CASSANDRA-12151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16383488#comment-16383488
]
Stefan Podkowinski commented on CASSANDRA-12151:
------------------------------------------------
[~vinaykumarcse] wrote:
bq. Seems like a complicated configuration, would like to understand the use
cases more here and see if anyone else needs this functionality. All the
usecases that I see here are Auditing at the cluster or no auditing, but not
specific to user. I would love to hear if there are any other users with this
usecase.
Usually you'll see two kind of users on production systems: privileged users
and application users. Auditing privileged users (admins or developers) will
almost always make sense, in order to be able to detect unauthorized access and
data manipulation. There's only a limited amount of statements to log, as these
will be executed manually. It also shouldn't matter which keyspaces or tables
are access by the users; he is either monitored or not.
However, auditing queries of application users has a very limited security and
data privacy benefit, but adds a great deal of load to the database. Those
queries will be automatically generated by the application and there will be no
way to tell if the query or statement was authorized, as you don't know on
behalf of whom it was executed. Any auditing functionality for these operations
must therefor take place at application level. Eg. a help desk tool, which is
used by a support employee to access personal data of a customer in Cassandra,
must keep an activity log for that directly. It doesn't make sense to log
queries for the generic help desk tool Cassandra user on the database side.
Therefor we need a way to enable CQL query auditing on user level.
> Audit logging for database activity
> -----------------------------------
>
> Key: CASSANDRA-12151
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12151
> Project: Cassandra
> Issue Type: New Feature
> Reporter: stefan setyadi
> Assignee: Vinay Chella
> Priority: Major
> Fix For: 4.x
>
> Attachments: 12151.txt,
> DesignProposal_AuditingFeature_ApacheCassandra_v1.docx
>
>
> we would like a way to enable cassandra to log database activity being done
> on our server.
> It should show username, remote address, timestamp, action type, keyspace,
> column family, and the query statement.
> it should also be able to log connection attempt and changes to the
> user/roles.
> I was thinking of making a new keyspace and insert an entry for every
> activity that occurs.
> Then It would be possible to query for specific activity or a query targeting
> a specific keyspace and column family.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
