To configure audit event archiving for Azure through the Cloudera UI, create a new audit archiving credential and then
configure the audit data storage and location.
The process of creating an audit archiving credential is largely the same as creating a
credential for an Azure environment, however, this credential is a unique credential used
solely for audit event archiving.
You must have an Azure resource group as well as an Azure storage account and a
container that will be used to store the audit archive logs. You can use an existing resource
group, storage account, and container, but Cloudera
recommends creating a new storage account and container dedicated to audit archiving. See the
topic Creating ADLS Gen2 storage account and container.Required Role:
PowerUser
- In the left-side navigation menu, click and
then click Create.
- Select the Azure icon.
-
Use the provided command in an Azure shell to identify your subscription ID and tenant
ID:
az account list|jq '.[]|{"name": .name, "subscriptionId": .id, "tenantId": .tenantId, "state": .state}'
- In the corresponding fields, enter the Subscription ID and
Tenant ID that are returned by the command.
- Use the provided command in an Azure shell to register a new application in Azure.
Substitute your application name (whatever you chose to give it), subscription ID,
resource group name, storage account name, and container name where indicated:
az ad sp create-for-rbac \ --name http://{app-name} \ --role "Storage Blob Data Contributor" \ --scopes /subscriptions/{subscriptionId}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}/blobServices/default/containers/{container-name}
Save the App ID and password from the command output to enter in the Audit Data
Configuration Credential screen.
Alternatively, you can follow steps 1-8 the in topic Create an app-based
credential to register the new app through the Azure portal. When you add a
role assignment, use the more limited "Storage Blob Data Contributor" role.
-
Back in the Cloudera
Audit Data Configuration screen, enter the App
Id and Password in the corresponding fields and click
Create.
-
Configure the audit data location with the path to the ADLS container that you
designated as the audit archive container. Use the following format:
https://<storage-account-name>.blob.core.windows.net/<container-name>
- Select the region where storage services should be accessed.
- Use the toggle button to enable or disable audit log export to the configured
storage location.
- Click Save.
Audit event archiving configuration is complete.