diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index c115820ab392..c8b56fb463db 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -335,6 +335,8 @@ public class MasterRpcServices extends RSRpcServices
       implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
         LockService.BlockingInterface, HbckService.BlockingInterface {
   private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
+  private static final Logger AUDITLOG =
+      LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
 
   private final HMaster master;
 
@@ -2542,6 +2544,13 @@ public GrantResponse grant(RpcController controller, GrantRequest request)
       if (master.cpHost != null) {
         master.cpHost.postGrant(perm, mergeExistingPermissions);
       }
+      User caller = RpcServer.getRequestUser().orElse(null);
+      if (AUDITLOG.isTraceEnabled()) {
+        // audit log should store permission changes in addition to auth results
+        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+        AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
+                perm);
+      }
       return GrantResponse.getDefaultInstance();
     } catch (IOException ioe) {
       throw new ServiceException(ioe);
@@ -2563,6 +2572,13 @@ public RevokeResponse revoke(RpcController controller, RevokeRequest request)
       if (master.cpHost != null) {
         master.cpHost.postRevoke(userPermission);
       }
+      User caller = RpcServer.getRequestUser().orElse(null);
+      if (AUDITLOG.isTraceEnabled()) {
+        // audit log should record all permission changes
+        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+        AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
+                userPermission);
+      }
       return RevokeResponse.getDefaultInstance();
     } catch (IOException ioe) {
       throw new ServiceException(ioe);