Support Questions

Find answers, ask questions, and share your expertise

Ranger HDFS Audit with Ranger HDFS Plugin

avatar
Contributor

Hi, I'm confused why Ambari needs to start Ranger-Admin before HDFS. Why is there no dependency issue if HDFS is used as Ranger audit sink and HDFS is also acl controlled by Ranger? Can HDFS be started before Ranger, if HDFS plugin is enabled or will HDFS Ranger plugin acls break? I'm wondering why HDFS isn't started before Ranger when its used as Ranger's audit sink. Thanks.

1 ACCEPTED SOLUTION

avatar
Super Collaborator

Ranger audits the hdfs files and folders for which there is policy to audit, other request falls back to HDFS acl. Audit folders in hdfs for ranger audits are owned by respective component's super user ( when enabling plugin it gets created accordingly) and it has necessary hdfs acl to create the audit logs. Hence there is no circular dependency on this to audit back all the audits written into HDFS.

As far as I know you can also start Ranger after HFDS is available, only thing while starting HDFS via Ambari, start service does checks which might take sometime before it come up, there is no relation to HDFS being Ranger's audit sink.

View solution in original post

1 REPLY 1

avatar
Super Collaborator

Ranger audits the hdfs files and folders for which there is policy to audit, other request falls back to HDFS acl. Audit folders in hdfs for ranger audits are owned by respective component's super user ( when enabling plugin it gets created accordingly) and it has necessary hdfs acl to create the audit logs. Hence there is no circular dependency on this to audit back all the audits written into HDFS.

As far as I know you can also start Ranger after HFDS is available, only thing while starting HDFS via Ambari, start service does checks which might take sometime before it come up, there is no relation to HDFS being Ranger's audit sink.