Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger audit log is empty .... although policy is applied

Labels:
avatar
author-rank geko
Guru

Created ‎03-23-2016 03:45 PM

Hello,

I have a fresh installation of HDP2.2.4 including Ranger 0.4

After enabling and configuring HDFS policy, that policy is getting applied, but I have no entries in the Audit=>Access tab of Ranger UI, it is empty, even after waiting for some minutes and triggering several actions. In the Audit=>Agents tab I can see all the HDFS/Hive/HBase agents connected.

Where can I check for issues what is going wrong here ?

Thanks...

4,630 Views
1 ACCEPTED SOLUTION

avatar
author-rank geko
Guru

Created ‎03-26-2016 10:34 AM

Hi @Jonas Straub , Hi @Ramesh Mani ,

I just wanted to update with the solution of that issue. At the end it turned out, that after Ambari upgrade (from 2.0.1 initially to Ambari 2.1.2.1), the placeholder-variables were not set/applied correctly via Ambari. In HDFS => advanced ranger-plugin config there were variables like {{xaaudit_db_XYZ}}, and I replaced those with their real values (xaaudit.db.username, xaaudit.db.database, xaaudit.db.password, ...) , restarted HDFS and now the audit log entries are being written.

Regards, Gerd

View solution in original post

3,042 Views
0 Kudos
5 REPLIES 5

avatar
author-rank jstraub
Guru

Created ‎03-23-2016 04:58 PM

Make sure the Audit Source is set to DB in Ambari (see Ranger configuration). Also could you check if the database (mysql?) contains any audit entries?

3,042 Views

avatar
author-rank geko
Guru

Created on ‎03-23-2016 06:30 PM - edited ‎08-19-2019 01:16 AM

Hi @Jonas Straub , thanks for answering.

yep, audit-to-db is marked in HDFS Ranger plugin config, I checked MySQL directly as user 'rangeradmin', but the table xa_access_audit is empty.

These are the settings for Ranger MySQL in Ambari =>

2956-ranger-db-config.png

3,042 Views

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎03-23-2016 07:21 PM

@Gerd Koening. Check in Ranger -> Config > Advanced ranger-admin-site ranger.audit.source.type = db

Do you see any exception in namenode log related to Ranger Auditing? Also check that the policy is having the audit enabled. Also hdfs operation you are doing should be for the resources which are in the Policy.

3,042 Views

avatar
author-rank geko
Guru

Created ‎03-24-2016 08:37 AM

hi @Ramesh Mani , many thanks.

In my Ambari version(2.1.2.1, Ranger 0.4, HDP2.2.4)) I cannot find that property in Ranger config. There is just "advanced ranger-site" but also there, no property "ranger.audit.source.type".

The only place where I can configure where to log, is the Policy configuration itself, like in HDFS=>advanced ranger-hdfs-plugin-configuration" where I clicked/marked the checkbox "Audit to DB"

The namenode log seems to be the correct hint, there I saw db errors like "connection refused", so I have to investigate into that. I think it is more a mysql problem now, not really a ranger issue....I will catchup on this after after the long weekend...

3,042 Views

avatar
author-rank geko
Guru

Created ‎03-26-2016 10:34 AM

Hi @Jonas Straub , Hi @Ramesh Mani ,

I just wanted to update with the solution of that issue. At the end it turned out, that after Ambari upgrade (from 2.0.1 initially to Ambari 2.1.2.1), the placeholder-variables were not set/applied correctly via Ambari. In HDFS => advanced ranger-plugin config there were variables like {{xaaudit_db_XYZ}}, and I replaced those with their real values (xaaudit.db.username, xaaudit.db.database, xaaudit.db.password, ...) , restarted HDFS and now the audit log entries are being written.

Regards, Gerd

3,043 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements