Support Questions

Find answers, ask questions, and share your expertise

Can the ranger audit records that are stored in HDFS be viewed through Ranger Audit UI?

Explorer

Hi,

I have Ranger 0.5.0.2.3 and HDP 2.3.4. In the Ranger configuration, there is option to store the Ranger audit records to HDFS. Is it possible to view the audit records that are stored in HDFS through the Ranger UI?

Is it possible to store the audit records to just in HDFS (No Solr, or DB), if so how to view them and what should I be setting the ranger.audit.source.type property be set to?

Thanks,

Madhavi.

1 ACCEPTED SOLUTION

Hi @Madhavi Amirneni, Yes, it is possible to store audit records only in HDFS but they cannot be viewed through Ranger UI. The main reason is that search is not supported. To view records in UI, a DB or Solr have to be configured and ranger.audit.source.type set to either db or solr. By the way, audit records in HDFS are stored in text files, as Json objects, see a sample below (audit for HDFS), and can be explored using another tool. The directories are organized by day, for example: /ranger/audit/hdfs/20160404.

{"repoType":1,"repo":"Sandbox_hadoop","reqUser":"oozie","evtTime":"2016-04-04 01:27:05.123","access":"READ_EXECUTE","resource":"/user/oozie/share/lib","resType":"path","result":1,"policy":7,"reason":"/user/oozie/share/lib","enforcer":"ranger-acl","cliIP":"10.0.2.15","agentHost":"sandbox.hortonworks.com","logType":"RangerAudit","id":"49abe678-ffa7-46cd-ba1f-de85368dd88c","seq_num":81811,"event_count":1,"event_dur_ms":0}

View solution in original post

3 REPLIES 3

Hi @Madhavi Amirneni, Yes, it is possible to store audit records only in HDFS but they cannot be viewed through Ranger UI. The main reason is that search is not supported. To view records in UI, a DB or Solr have to be configured and ranger.audit.source.type set to either db or solr. By the way, audit records in HDFS are stored in text files, as Json objects, see a sample below (audit for HDFS), and can be explored using another tool. The directories are organized by day, for example: /ranger/audit/hdfs/20160404.

{"repoType":1,"repo":"Sandbox_hadoop","reqUser":"oozie","evtTime":"2016-04-04 01:27:05.123","access":"READ_EXECUTE","resource":"/user/oozie/share/lib","resType":"path","result":1,"policy":7,"reason":"/user/oozie/share/lib","enforcer":"ranger-acl","cliIP":"10.0.2.15","agentHost":"sandbox.hortonworks.com","logType":"RangerAudit","id":"49abe678-ffa7-46cd-ba1f-de85368dd88c","seq_num":81811,"event_count":1,"event_dur_ms":0}

Explorer

@Predrag Minovic, Thank you for the clarification.

@Madhavi Amirneni, if you like the answer please consider to accept and/or upvote it. This is how HCC works: users who ask questions are "awarded" by right answers, users who provide right answers are "awarded" by this upvotes/accepts. Tnx!

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.