Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How Ranger Audit Works

Labels (1)
Labels:
avatar
author-rank rjain1
Expert Contributor

Created on ‎01-18-2018 07:26 PM - edited on ‎02-09-2021 09:13 PM by Moderator

Ranger plugins send their audit event (whether access was granted or not and based on the policy) directly to the configured sink for audits, which can be HDFS, Solr or both.

Ranger Audit is a highly customizable event queue system that can be tailored to suit the needs of production environments.

When the plugin is enabled and no specific policy is in place for access to some object, the plugin will fall back to enforcing the standard component level Access Control Lists (ACL’s). For HDFS, that would be the user: rwx / group: rwx / other: rwx ACL’s on folders and files.

Once this defaulting to component ACL’s happens, the audit events show a ‘ - ‘ in the ‘Policy ID’ column instead of a policy number. If a Ranger policy was in control of allowing/ denying, the policy number is shown.

Key Things to Remember

  • Access decisions taken by Ranger (to allow/ deny user) are based on a combination of three things:

    • resource - that is being accessed

    • user/group - who is trying to access

    • operation - that is being performed

  • The Audit decision taken by Ranger (whether to audit or not) are based on a matching resource. That is, if there is a policy that allows audit for a certain resource, then the audit will be performed irrespective of whether that policy is governing access policy or not.
  • Now, based on #1 and #2 above, depending on the policy configuration, it is very much possible that access decision is taken by policy X, but audit decision is taken by policy Y.

Note: Sometimes this may seem confusing that audit events show an X in the Policy ID column even though the audit is disabled for X. Remember that the Policy ID column decided on access decision, but audit decision is coming from another policy.

How to Troubleshoot Ranger Audit issue?

  • Enable the Ranger plugin debug and restart the host service again to get to the root cause of the error.
  • To get further granular level behavior and to understand enabling policyengine and policyevaluator, debug as follows:

Example:

The following log4j lines will change based on the host service and log4j module used in that service:

log4j.logger.org.apache.ranger.authorization.hbase=DEBUG
log4j.logger.org.apache.ranger.plugin.policyengine=DEBUG
log4j.logger.org.apache.ranger.plugin.policyevaluator=DEBUG
5,680 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎02-09-2021 09:13 PM
Updated by:
Moderator