Created 02-08-2016 07:08 PM
Hi,
Trying to enable Ranger audit through solr on a non-kerborized cluster.
Not able to get the audits written to Solr.
Is kerborization a must for Solr Ranger to work?
How can I get it working?
Created 02-08-2016 07:10 PM
Yes you need Kerberos for Ranger to manage Solr.
See also
https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html
(Updated)
Or are you referring to Solr Auditing for Ranger. In that case you do not need Kerberos.
For Solr Audit see the following:
If you did the necessary install and Solr audits are not showing, I had a case where I did a ps -ef | ranger and it was running under the wrong uid. I had to kill it first and then restart from Ambari to get the Solr audits to work.
Created 02-08-2016 07:10 PM
Yes you need Kerberos for Ranger to manage Solr.
See also
https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html
(Updated)
Or are you referring to Solr Auditing for Ranger. In that case you do not need Kerberos.
For Solr Audit see the following:
If you did the necessary install and Solr audits are not showing, I had a case where I did a ps -ef | ranger and it was running under the wrong uid. I had to kill it first and then restart from Ambari to get the Solr audits to work.
Created 02-08-2016 07:19 PM
Ok, thank you for the response. For enabling Solr Audit, can you give me the link?
Are you talking about the link --
and then the link below:
?
If so, after performing the steps mentioned in the above, I do not see any thing in the Ranger Audit - "Access" tab. Is that the expected behavior?
Created on 02-08-2016 07:30 PM - edited 08-19-2019 02:25 AM
I recommend doing the Solr Standalone. I have always had an issue with Solr Cloud for Ranger Auditing.
Are you sure in Advanced ranger-admin-site everything is set appropriately?
ranger.audit.source.type = solr ranger.audit.solr.urls = http://solr_host:6083/solr/ranger_audits ranger.audit.solr.username = ranger_solr ranger.audit.solr.password = NONE
If you are using the HDFS or Hive plug in did you turn Auri to Solr on?
Created 02-08-2016 08:17 PM
Yes, I have set up the SolrCloud following the document link that I pasted earlier. And then in the Ambari Ranger configuration, enabled SolrAudit ("Audit to Solr" ie. xasecure.audit.destination.solr).
The configuration set to
ranger.audit.solr.urls = http://solr_host:6083/solr/ranger_audits
But once, I enabled SolrCloud ie. (is_SolrCloud_enabled) , then the property changed to be
ranger.audit.solr.urls = solr_host:2181/ranger_audits
Is this the correct behavior? I have the other properties as you mentioned.
Can I just have just SolrAudit ("Audit to Solr") enabled, and not have solrCloud?
Created 07-22-2016 06:17 AM
@Ancil McBarnett: I also have requirement where i want to secure solr with Ranger but I don't have kerberos env. So is it possible to secure with Rnager without kerberos ?
Created 07-23-2016 07:50 PM
Let me try to explain how security works from a high level and why Ranger without Kerberos is useless.
Kerberos is what is used by many applications to authenticate a user. That is, to verify that the user is exactly who he says he is. Ranger is used as a next step in security. That is once you know, let's say a user name Alex is actually 'Alex', then does Alex have permissions to view a particular set of data. That is the job of Ranger. It enforces policies for users who have been authenticated.
Authentication of whether a user is actually who he says he is, is done by Kerberos. Without Kerberos you don't even know, if Alex is actually Alex. That's why there is no point in trying to enforce using Ranger a policy that Alex cannot access certain datasets or doing an audit on what Alex did when he logged in. Without Kerberos you are not even sure, was it really Alex, when someone named Alex logged in. Authorization and audit are pretty much useless at that point and that's why you need a Kerberized cluster before you enable authorization/auditing using Ranger.
Created 07-24-2016 05:22 AM
Thanks @mqureshi. I understood your point and agree kerberos is always best option to secure cluster. But I am looking an alternative which I can use to secure solr like knox with ranger or something else. So do we have any alternative ?