Ranger plugins send their audit event (whether access was granted or not and based on which policy) directly to the configured sink for audits, which can be HDFS, Solr or both.
Ranger Audit is a highly customizable event queue system which can be tailored to suit the needs of production environments.
When the plugin is enabled AND no specific policy is in place for access to some object, the plugin will fall back to enforcing the standard component level Access Control Lists (ACL’s). For HDFS that would be the user : rwx / group : rwx / other : rwx ACL’s on folders and files.
Once this defaulting to component ACL’s happens the audit events show a ‘ - ‘ in the ‘Policy ID’ column instead of a policy number. If a Ranger policy was in control of allowing/denying the policy number is shown.
Key Things to Remember
1. Access decisions taken by Ranger (to allow / deny user) are based on combination of three things:
a. resource - that is being accessed
b. user/group - who is trying to access
c. operation - that is being performed
2. The Audit decision taken by Ranger (whether to audit or not) are based on matching resource. That is, if there is a policy which allows audit for a certain resource, then audit will be performed irrespective of whether that policy is governing access policy or not.
3. Now based on #1 and #2 above,Depending on policy configuration, it is very much possible that access decision is taken by policy X but audit decision is taken by policy Y.
Note : Sometime this may seems confusing that audit events show a ‘ X‘ in the ‘Policy ID’ column even though audit audit is disabled for X , but remember Policy ID column decided on access decision but audit decision is coming from another policy,
In below Example audit event is captured, and the policy ID is ‘1’ but Audit logging is disabled for policy ‘1’
How to Troubleshoot Ranger Audit issue ?
Enable the ranger plugin debug and restart the host service again to get the root cause of the error.
To get further granular level behaviour understanding enable policyengine & policyevaluator debug as below
For example, (below log4j lines will change based on the host service & log4j module used in that service)