Created on 03-21-2017 08:30 PM - edited 08-18-2019 03:58 AM
Hi there,
In my work place, HDFS plugin for Ranger has been enabled. I created a policy for the source in hdfs /tmp/ranger_test(which has access permission 400 in HDFS). I can see that the policy has been synced in ranger Plugins tab. But, It is not showing up any audit logs and it does not enforce the ranger policy while accessing the directory in hdfs.
For your information, the audit log is enabled.
Don't know the reason why it does not work in the way i expected.
No audit logs are displayed in ranger Audit tab. But audit are enable for hdfs to solr.
Please let me know what would be the reason and how to troubleshoot it.
Thanks,
kJ
Created 03-21-2017 08:56 PM
Below is one doc for Enabling Audit Logging for HDFS and Solr:
Created 03-21-2017 09:13 PM
What version of HDP are you using?
Do you see any error on the hdfs name node?
Created 03-22-2017 12:57 AM
Hi vperiasamy and Namit Maheshwari,
Thank you very much for your reply. We are using HDP 2.5.3.
I am not seeing any error. The interesting thing is,
jkris03 is the owner of the directory with permission 400 in HDFS. But, when i tried to copy a file to the directory, it gave error like permission denied. But, the user rkurumb(my colleague) could able to copy file to the directory and i checked with other user(ftam) and he also got permission denied error. Since, there is no audit log, i could not see whether the ranger acl or hadoop acl is being enforced. We use Active Directory and it is synced with Apache Ranger. The group name i have used here is of Active Directory.
Created on 03-22-2017 07:17 AM - edited 08-18-2019 03:58 AM
can you please check if you configured hdfs in ranger.audit.source.type. it should work after configuring it.
Created 03-22-2017 01:33 PM
Hi Deepak,
Thanks for your reply. But, the parameter has already been configured.
For your infor, for hive plugin, it works well(audit source is solr).
But, for hdfs , i can see the log in "Admin" tab if i update the policy and the "Plugin" tab says the policy is synced. But
in the "Access" tab, i am not seeing any audits.
Note that, for the same service(hdfs) , I am seeing audits for other source but not mine(/tmp/ranger_test) .
Created 03-22-2017 01:50 PM
ok , sorry i had misunderstood your question, So I think you are seeing audits for some of the hdfs operation on other resource but not for /tmp/ranger_test.
can you please check namenode logs, for the time when you performed operation , was there any error at that time in posting the logs to solr.
Created on 03-22-2017 02:44 PM - edited 08-18-2019 03:58 AM
Now, it behaves differently. I updated the same policy. But still getting error while accessing the directory in hdfs. I think, the policy is not enforced. In the updated policy, there is no exclude condition, only the user jkris03 is allowed for the permission. Also, please look at the audits for the same service but the source is different. However, for the source datameer also, the ranger policy is not working, but we can see the audits. But, for my source, It is not displaying the audits too.
Created 03-22-2017 04:32 PM
Hi everyone,
The logs are already displayed in the audits tab. The reason why i could not see is because of the"EventTime". The EventTime and Updated Time are not synced. That's why it is not showing the correct screen(i.e., latest logs). Then,i filtered logs based on source type and i could see my logs. However, I am getting different issue.
Thank you guys for your time.
Created 03-28-2017 02:38 AM
EventTime timezone fix is available in Ranger 0.7.0. https://issues.apache.org/jira/browse/RANGER-1249