question Re: In Apache Ranger, Audit logging not working for superuser only in Support Questions

In Apache Ranger, Audit logging not working for superuser only

eddy28 — Wed, 21 Aug 2024 18:17:50 GMT

Hi Everyone,

I’m new to Apache Ranger. I’ve created an HDFS policy and configured it to store audit logs in Solr. When I create or delete directories in HDFS, the audit logs are generated and visible in the Ranger UI. However, when I perform operations as the superuser (hdfs), no audit logs are generated.

As shown in below screenshot, rangertest1 and rangertest2 users audit logs are shown on UI. But any operations performed using hdfs user, those logs not going in Audit DB.

Does Ranger not support audit logging for superuser actions?
I have already checked all the configs and there are no exclusions to any user.

Best regards,
Aditya

Re: In Apache Ranger, Audit logging not working for superuser only

DianaTorres — Wed, 21 Aug 2024 18:53:03 GMT

@eddy28 Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our Ranger experts @Atahar @vamsi_redd @Puni who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Re: In Apache Ranger, Audit logging not working for superuser only

vats — Wed, 21 Aug 2024 20:48:00 GMT

@eddy28

If you are performing operations as the superuser (hdfs) and no audit logs are generated, it is likely because the superuser is bypassing the HDFS permissions and Ranger policies. The superuser has administrative privileges and can perform any action in HDFS without being subject to the policies defined in Ranger.

By default, HDFS does not generate audit logs for actions performed by the superuser. If you want to track the activities of the superuser, you can enable audit logging specifically for the superuser.

Re: In Apache Ranger, Audit logging not working for superuser only

eddy28 — Thu, 22 Aug 2024 07:15:22 GMT

Hi @vats ,

Thanks for your quick reply.

I have already tried below steps, but still not able to get audit logs for superuser.
1.) Added Audit filter:-

2.) Gave allow permission in Ranger policy.

Is there anything else I need to follow to enable audit logging specifically for the superuser.

Regards,

Aditya

Re: In Apache Ranger, Audit logging not working for superuser only

vats — Thu, 22 Aug 2024 11:46:26 GMT

@eddy28

To enable audit logging for superuser actions, you need to update the HDFS configuration. Follow these steps:

Open the hdfs-site.xml file in the Hadoop configuration directory ($HADOOP_HOME/etc/hadoop).

Add the following properties to enable audit logging for superuser actions:

<property> <name>dfs.namenode.inode.attributes.provider.class</name> <value>org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer</value> </property> <property> <name>ranger.plugin.hdfs.service.name</name> <value>hadoopdev</value>  </property>

Save the changes and restart the HDFS service for the new configuration to take effect.

With this configuration, the superuser actions should generate audit logs, which will be visible in the Ranger UI alongside other HDFS actions.

Note-Please test this configuration with you uat cluster

Re: In Apache Ranger, Audit logging not working for superuser only

eddy28 — Thu, 22 Aug 2024 19:50:04 GMT

Hi @vats ,
I have tried it, but still no luck.

Regards,

Aditya

Re: In Apache Ranger, Audit logging not working for superuser only

vats — Fri, 23 Aug 2024 08:46:13 GMT

@eddy28

Have you configured this property properly
"<name>ranger.plugin.hdfs.service.name</name> <value>hadoopdev</value>  "
Do you have any exception after configuring the suggested property?

Re: In Apache Ranger, Audit logging not working for superuser only

eddy28 — Fri, 23 Aug 2024 09:50:57 GMT

Hi @vats ,

Yes I have added configs properly. Kindly see the screenshot below:

My service name is also hadoopdev

Regards,

Aditya