Support Questions

geko · ‎03-23-2016

Hello,

I have a fresh installation of HDP2.2.4 including Ranger 0.4

After enabling and configuring HDFS policy, that policy is getting applied, but I have no entries in the Audit=>Access tab of Ranger UI, it is empty, even after waiting for some minutes and triggering several actions. In the Audit=>Agents tab I can see all the HDFS/Hive/HBase agents connected.

Where can I check for issues what is going wrong here ?

Thanks...

geko · ‎03-26-2016

Hi @Jonas Straub , Hi @Ramesh Mani ,

I just wanted to update with the solution of that issue. At the end it turned out, that after Ambari upgrade (from 2.0.1 initially to Ambari 2.1.2.1), the placeholder-variables were not set/applied correctly via Ambari. In HDFS => advanced ranger-plugin config there were variables like {{xaaudit_db_XYZ}}, and I replaced those with their real values (xaaudit.db.username, xaaudit.db.database, xaaudit.db.password, ...) , restarted HDFS and now the audit log entries are being written.

Regards, Gerd

View solution in original post

jstraub · ‎03-23-2016

Make sure the Audit Source is set to DB in Ambari (see Ranger configuration). Also could you check if the database (mysql?) contains any audit entries?

geko · ‎03-23-2016

Hi @Jonas Straub , thanks for answering.

yep, audit-to-db is marked in HDFS Ranger plugin config, I checked MySQL directly as user 'rangeradmin', but the table xa_access_audit is empty.

These are the settings for Ranger MySQL in Ambari =>

rmani · ‎03-23-2016

@Gerd Koening. Check in Ranger -> Config > Advanced ranger-admin-site ranger.audit.source.type = db

Do you see any exception in namenode log related to Ranger Auditing? Also check that the policy is having the audit enabled. Also hdfs operation you are doing should be for the resources which are in the Policy.

geko · ‎03-24-2016

hi @Ramesh Mani , many thanks.

In my Ambari version(2.1.2.1, Ranger 0.4, HDP2.2.4)) I cannot find that property in Ranger config. There is just "advanced ranger-site" but also there, no property "ranger.audit.source.type".

The only place where I can configure where to log, is the Policy configuration itself, like in HDFS=>advanced ranger-hdfs-plugin-configuration" where I clicked/marked the checkbox "Audit to DB"

The namenode log seems to be the correct hint, there I saw db errors like "connection refused", so I have to investigate into that. I think it is more a mysql problem now, not really a ranger issue....I will catchup on this after after the long weekend...

geko · ‎03-26-2016

Hi @Jonas Straub , Hi @Ramesh Mani ,

I just wanted to update with the solution of that issue. At the end it turned out, that after Ambari upgrade (from 2.0.1 initially to Ambari 2.1.2.1), the placeholder-variables were not set/applied correctly via Ambari. In HDFS => advanced ranger-plugin config there were variables like {{xaaudit_db_XYZ}}, and I replaced those with their real values (xaaudit.db.username, xaaudit.db.database, xaaudit.db.password, ...) , restarted HDFS and now the audit log entries are being written.

Regards, Gerd

Cloudera Community

Support Questions

Ranger audit log is empty .... although policy is applied

How HDFS Apply Ranger Policies

Ranger audit log event summarization

Ranger audit log for Stream Messaging Manager serv...

NiFi Ranger based policy descriptions

Ranger policies not getting applied on groups

How Ranger Audit Works

Ranger Audit logs: Turn them into ORC tables and s...

Using Zeppelin/Spark to query HDFS Ranger Audit lo...

Re: Solr TTL - Auto-Purging Solr Documents & Range...

Writing out NiFi Ranger Audit Log (to file system...