Use cases and sample payloads
Assuming the default action is to ACCEPT an audit and the user wants to discard the audits conditionally, you must understand the rules payload for some of the common use case scenarios.
Discard temporary and test hive_table audits (Nested rules example)
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"hive_table",
"condition":"AND",
"criterion":[
{
"operator":"==",
"attributeName":"temporary",
"attributeValue":"false"
},
{
"condition":"OR",
"criterion":[
{
"operator":"==",
"attributeName":"name",
"attributeValue":"tmp"
},
{
"operator":"==",
"attributeName":"qualifiedName",
"attributeValue":"tmp"
}
]
}
]
}
]
}
Discard all audits of a type
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"hive_table"
}
]
}
Discard all update audits for all entities
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"”_ALL_ENTITY_TYPES”",
"operator":"==",
"attributeName":"operationType",
"attributeValue":"ENTITY_UPDATE"
}
]
}
Discard all CLASSIFICATION_ADD audits for all entities
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"_ALL_ENTITY_TYPES",
"operator":"==",
"attributeName":"operationType",
"attributeValue":"CLASSIFICATION_ADD"
}
]
}
Discard audits for entity DELETE operation types such as ENTITY_DELETE,
ENTITY_IMPORT_DELETE, CLASSIFICATION_DELETE, PROPAGATED_CLASSIFICATION_DELETE, and
LABEL_DELETE.
{
"desc":"test3",
"action":"DISCARD",
"ruleName":"rule123",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"hive_table",
"condition":"AND",
"criterion":[
{
"operator":"contains",
"attributeName":"operationType",
"attributeValue":"DELETE"
}
]
}
]
}
Usage of DELETE API for multiple rules: specify array of guids using comma
separator in
payload
URL: api/atlas/admin/audits/rules
Payload : ["477d8fcd-3d89-4c4c-bb91-9586c49fbd19","8b2b37a8-30eb-4510-b19a-589816e45b80"]
Usage of DELETE API to delete all
rules
URL: api/atlas/admin/audits/rules/all
Payload : not required
Discard audits for hive tables where description is null
Payload:
{
"action": "DISCARD",
"ruleName": "hiverule3",
"ruleExpr": {
"ruleExprObjList": [
{
"typeName": "hive_table",
"includeSubTypes": "false",
"attributeName": "description",
"operator": "isNull"
}
]
}
Discard audits of event for a specific type based on attribute value
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"hive_table",
"condition":"AND",
"criterion":[
{
"operator":"==",
"attributeName":"operationType",
"attributeValue":"ENTITY_UPDATE"
},
{
"operator":"==",
"attributeName":"name",
"attributeValue":"employee"
}
]
}
]
}
Discard audits for all types under a hook type (Regex supported with wildcard character *)
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"hive*",
"operator":"==",
"attributeName":"operationType",
"attributeValue":"CLASSIFICATION_ADD"
}
]
}
Discard all audits of a type and its sub types
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"Asset",
"includeSubTypes":true
}
]
}
CSV of type-names is supported
"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
"ruleExprObjList":[
{
"typeName":"hive_table,hbase_table",
"attributeName":"name",
"operator":"contains",
"attributeValue":"test1"
}
]
}