Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Expert Contributor

Ranger plugins send their audit event (whether access was granted or not and based on the policy) directly to the configured sink for audits, which can be HDFS, Solr or both.

Ranger Audit is a highly customizable event queue system that can be tailored to suit the needs of production environments.

When the plugin is enabled and no specific policy is in place for access to some object, the plugin will fall back to enforcing the standard component level Access Control Lists (ACL’s). For HDFS, that would be the user: rwx / group: rwx / other: rwx ACL’s on folders and files.

Once this defaulting to component ACL’s happens, the audit events show a ‘ - ‘ in the ‘Policy ID’ column instead of a policy number. If a Ranger policy was in control of allowing/ denying, the policy number is shown.

Key Things to Remember

  • Access decisions taken by Ranger (to allow/ deny user) are based on a combination of three things:
    • resource - that is being accessed

    • user/group - who is trying to access

    • operation - that is being performed

  • The Audit decision taken by Ranger (whether to audit or not) are based on a matching resource. That is, if there is a policy that allows audit for a certain resource, then the audit will be performed irrespective of whether that policy is governing access policy or not.
  • Now, based on #1 and #2 above, depending on the policy configuration, it is very much possible that access decision is taken by policy X, but audit decision is taken by policy Y.

Note: Sometimes this may seem confusing that audit events show an X in the Policy ID column even though the audit is disabled for X. Remember that the Policy ID column decided on access decision, but audit decision is coming from another policy.

How to Troubleshoot Ranger Audit issue?

  • Enable the Ranger plugin debug and restart the host service again to get to the root cause of the error.
  • To get further granular level behavior and to understand enabling policyengine and policyevaluator, debug as follows:

Example:

The following log4j lines will change based on the host service and log4j module used in that service:

log4j.logger.org.apache.ranger.authorization.hbase=DEBUG
log4j.logger.org.apache.ranger.plugin.policyengine=DEBUG
log4j.logger.org.apache.ranger.plugin.policyevaluator=DEBUG
5,704 Views