Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Is there a way to find the person who deleted a directory on HDFS?

Labels:
avatar
author-rank t_sankar85
Contributor

Created ‎01-19-2017 01:37 PM

 
7,936 Views
0 Kudos
5 REPLIES 5

avatar
author-rank rguruvannagari author-rank
Super Collaborator

Created ‎01-19-2017 01:38 PM

@Sankar T

hdfs-audit.log will have that info.

6,190 Views
0 Kudos

avatar
author-rank tstebbens
Expert Contributor

Created ‎01-19-2017 01:43 PM

@Sankar T Also Ranger audit logs if you have it installed and have the HDFS plugin enabled. In general if you're worried about who does what on your system then you should consider using Ranger at least and possibly Atlas as well.

6,190 Views
0 Kudos

avatar
author-rank stevel author-rank
Guru

Created ‎01-20-2017 02:12 PM

..and if it was done from the command line, it shouldn't have been deleted, it should have been moved to the .Trash folder of the user

6,190 Views
0 Kudos

avatar
author-rank nshetty author-rank
Rising Star

Created ‎03-09-2017 05:18 PM

@Sankar T

You can see /grid/0/log/hdfs/hdfs/hdfs-audit.log(if ambari installed cluster) for finding who deleted the directory or file in hdfs

2017-03-09 00:04:18,495 INFO FSNamesystem.audit: allowed=true ugi=ambari-qa-cl1@EXAMPLE.COM (auth:KERBEROS) ip=/172.xx.xx.xx      cmd=delete src=/tmp/hive/ambari-qa/388b15de-5e3f-4b7a-8069-d939b64e513e dst=null perm=null proto=rpc
6,190 Views

avatar
author-rank sze
Rising Star

Created ‎03-13-2017 06:49 PM

Yes, the audit log will serve the purpose. Note that, in some cases, it is not straightforward to search the log for deletion since a directory (or a file) may not be deleted directly -- it may be deleted as a part of the deletion of its parent/ancestor directory. So we should first search the full path in the log. If it is not found, search the parent directory path and so on.

It will be more complicated if deletion and re-creation occurred repeatedly. For example

1) user A: create /foo

2) user A: create /foo/bar

3) user A: del /foo

4) user B: create /foo

5) user B: del /foo

Who has deleted /foo/bar? It is easy to mistakenly take user B as the answer. B is the last user deleted foo but B is not the user deleted /foo/bar. In such case, we should first determine when the target directory/file is created and then search what happened of it starting from the creation time.

You can imagine that it is even harder to find out the correct answer if the path or the parent/ancestor paths are moved/renamed. We need to pay extra attention if the rename operation is involved.

6,190 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements