Support Questions

Find answers, ask questions, and share your expertise

Can the ranger audit records that are stored in HDFS be viewed through Ranger Audit UI?

avatar
Contributor

Hi,

I have Ranger 0.5.0.2.3 and HDP 2.3.4. In the Ranger configuration, there is option to store the Ranger audit records to HDFS. Is it possible to view the audit records that are stored in HDFS through the Ranger UI?

Is it possible to store the audit records to just in HDFS (No Solr, or DB), if so how to view them and what should I be setting the ranger.audit.source.type property be set to?

Thanks,

Madhavi.

1 ACCEPTED SOLUTION

avatar
Master Guru

Hi @Madhavi Amirneni, Yes, it is possible to store audit records only in HDFS but they cannot be viewed through Ranger UI. The main reason is that search is not supported. To view records in UI, a DB or Solr have to be configured and ranger.audit.source.type set to either db or solr. By the way, audit records in HDFS are stored in text files, as Json objects, see a sample below (audit for HDFS), and can be explored using another tool. The directories are organized by day, for example: /ranger/audit/hdfs/20160404.

{"repoType":1,"repo":"Sandbox_hadoop","reqUser":"oozie","evtTime":"2016-04-04 01:27:05.123","access":"READ_EXECUTE","resource":"/user/oozie/share/lib","resType":"path","result":1,"policy":7,"reason":"/user/oozie/share/lib","enforcer":"ranger-acl","cliIP":"10.0.2.15","agentHost":"sandbox.hortonworks.com","logType":"RangerAudit","id":"49abe678-ffa7-46cd-ba1f-de85368dd88c","seq_num":81811,"event_count":1,"event_dur_ms":0}

View solution in original post

3 REPLIES 3

avatar
Master Guru

Hi @Madhavi Amirneni, Yes, it is possible to store audit records only in HDFS but they cannot be viewed through Ranger UI. The main reason is that search is not supported. To view records in UI, a DB or Solr have to be configured and ranger.audit.source.type set to either db or solr. By the way, audit records in HDFS are stored in text files, as Json objects, see a sample below (audit for HDFS), and can be explored using another tool. The directories are organized by day, for example: /ranger/audit/hdfs/20160404.

{"repoType":1,"repo":"Sandbox_hadoop","reqUser":"oozie","evtTime":"2016-04-04 01:27:05.123","access":"READ_EXECUTE","resource":"/user/oozie/share/lib","resType":"path","result":1,"policy":7,"reason":"/user/oozie/share/lib","enforcer":"ranger-acl","cliIP":"10.0.2.15","agentHost":"sandbox.hortonworks.com","logType":"RangerAudit","id":"49abe678-ffa7-46cd-ba1f-de85368dd88c","seq_num":81811,"event_count":1,"event_dur_ms":0}

avatar
Contributor

@Predrag Minovic, Thank you for the clarification.

avatar
Master Guru

@Madhavi Amirneni, if you like the answer please consider to accept and/or upvote it. This is how HCC works: users who ask questions are "awarded" by right answers, users who provide right answers are "awarded" by this upvotes/accepts. Tnx!