Cloudera Community
rmani
user rank
user rank
Super Collaborator

Re: create hive table

by Super Collaborator Super Collaborator in Support Questions
‎11-11-2016 07:39 PM
‎11-11-2016 07:39 PM
Also refer this https://community.hortonworks.com/content/kbentry/60802/ranger-audit-in-hive-table-a-sample-approach-1.html. pm how an audit logs in hdfs can server a hive table. ... View more

Re: Ranger HDFS Policy fails if the Number of HDFS...

by Super Collaborator Super Collaborator in Support Questions
‎10-13-2016 04:55 PM
‎10-13-2016 04:55 PM
@Amit Kumar Agarwal Which version of HDP are you are using? Please check the datatype of the column "sort_order" in x_policy_resource_map table and if it tiny_int, please alter it to int and try? ... View more

Re: What is the Ranger edit service page on HIVE /...

by Super Collaborator Super Collaborator in Support Questions
‎10-12-2016 04:38 PM
1 Kudo
‎10-12-2016 04:38 PM
1 Kudo
@Jasper Ranger service - configuration has details on which hadoop components is using Ranger for authorization and what policies are there which can be enabled / disabled / audited or not. These service definitions gets created when you enable ranger for the respective components from Ambari and restart the service These properties which are there against the services are used only for Test Connection and Lookup functionality which allows you to select the resource when you maintain policies, i.e auto population of the resource based on the resource name you are going to type in the field. e.g For Hive when you maintain policies if the "Database" field if there are multiple databases in hive and some of them starts with letter "d" and you type "d" in that field in brings up a list of databases which starts with "d". Same case with HDFS it will bring the matching directories for the "PATH". Same with other components too. To do this operation, Ranger communicates with respective hadoop component and brings those details. The user and config maintained here will be used for this communication and in kerberos it will be a service principal which will be used. These users will have policy to do these operations. This is the main purpose of these configuration and it DOESN'T stop you from using the RANGER plugin if the TEST CONNECTION / LOOKUP is not working. It is just for added convenience when maintaining policies. There are lot of misconception around it. In Kerberos environment in HDP 2.5 where ranger itself is kerberized , there are some "Add New Configuration" parameters get configured which maintains various users which communicates with Ranger admin to download policies, tags, service creation from ambari, service check etc. ... View more

Ranger Audit in Hive Table - a sample approach

by Super Collaborator Super Collaborator in Community Articles
‎10-11-2016 12:44 PM
3 Kudos
‎10-11-2016 12:44 PM
3 Kudos
Enable a Ranger Plugin and audit to HDFS for a Hadoop component say in this case HiveServer2. Audit files will be stored in folder structure defined in the audit configuration file of the respective ranger plugin. Default format is /ranger/audit/<hadoop-component>/<YYYYMMDD>/<component>_ranger_audit_<hosname>.<count>.log Example audit log for HiveServer2 ranger plugin: hdfs dfs -ls -R /ranger/audit/hiveServer2 /ranger/audit/hiveServer2/20160315 /ranger/audit/hiveServer2/20160315/hive_ranger_audit_.1.log /ranger/audit/hiveServer2/20160315/hive_ranger_audit_.2.log /ranger/audit/hiveServer2/20160316 /ranger/audit/hiveServer2/20160316/hive_ranger_audit_.1.log /ranger/audit/hiveServer2/20160316/hive_ranger_audit_.2.log /ranger/audit/hiveServer2/20160317 /ranger/audit/hiveServer2/20160317/hive_ranger_audit_.1.log /ranger/audit/hiveServer2/20160317/hive_ranger_audit_.2.log Procedure to Create Store Ranger Audit Log in HIVE Create a Hive External table with a dummy location for input. DROP TABLE IF EXISTS ranger_audit_event_json_tmp; CREATE TEMPORARY EXTERNAL TABLE ranger_audit_event_json_tmp ( resource string, resType string, reqUser string, evtTime TIMESTAMP, policy int, access string, result int, reason string, enforcer string, repoType int, repo string, cliIP string, action string, agentHost string, logType string, id string ) PARTITIONED BY (evtDate String) row format serde 'org.apache.hive.hcatalog.data.JsonSerDe' LOCATION '/dummy/location'; Alter the Temporary Table to have partitioned by the Date. This is needed to load each days log file into hive table. This will load the data into tabl ALTER TABLE ranger_audit_event_json_tmp ADD PARTITION (evtDate='20160315') LOCATION '/ranger/audit/hdfs/20160315'; ALTER TABLE ranger_audit_event_json_tmp ADD PARTITION (evtDate=’20160316’) LOCATION ‘/ranger/audit/hdfs/20160316’; SCRIPT to automate. Create shell script “create_ranger_audit_in_hive.sh” cmd=`hdfs dfs -ls /ranger/audit/hdfs | cut -d" " -f19` audit_file=`echo $cmd` beeline -u "jdbc:hive2://rmani-cluser1:10000/default;principal=hive/rmani-cluser1@EXAMPLE.COM" -e "CREATE EXTERNAL TABLE ranger_audit_event_json_tmp ( resource string, resType string, reqUser string, evtTime TIMESTAMP, policy int, access string, result int, reason string, enforcer string, repoType int, repo string, cliIP string, action string, agentHost string, logType string, id string ) PARTITIONED BY (evtDate string) row format serde 'org.apache.hive.hcatalog.data.JsonSerDe' LOCATION '/dummy/location'" for file in $audit_file do partition=`echo $file | cut -d"/" -f5` echo ${partition} beeline -u "jdbc:hive2://rmani-cluser1:10000/default;principal=hive/rmani-cluser1@EXAMPLE.COM" -e " ALTER TABLE ranger_audit_event_json_tmp ADD PARTITION (evtDate='${partition}') LOCATION '/ranger/audit/hdfs/${partition}'" done ORC Format for the audit data DROP TABLE IF EXISTS ranger_audit_event; CREATE TABLE ranger_audit_event ( resource string, resType string, reqUser string, evtTime TIMESTAMP, policy int, access string, result int, reason string, enforcer string, repoType int, repo string, cliIP string, action string, agentHost string, logType string, id string ) STORED AS ORC tblproperties ("orc.compress"="ZLIB"); CREATE INDEX i_id ON TABLE ranger_audit_event (id) AS 'org.apache.hadoop.hive.ql.index.compact.CompactIndexHandler' WITH DEFERRED REBUILD; INSERT INTO TABLE ranger_audit_event select * from ranger_audit_event_json_tmp; ... View more
Labels:

Re: Ranger SSL connection to active directory - tr...

by Super Collaborator Super Collaborator in Support Questions
‎09-29-2016 04:33 AM
1 Kudo
‎09-29-2016 04:33 AM
1 Kudo
@Kent Brodi Please double check that java which ranger admin and usersync is using the one you added the certificate into (/usr/java/latest/jre/lib/security/cacerts). Also please refer this doc https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.6/bk_Security_Guide/content/configure_ambari_ranger_ssl_self_signed_cert_usersync.html ... View more

Re: Ranger Group permissions from LDAP - not worki...

by Super Collaborator Super Collaborator in Support Questions
‎09-27-2016 07:47 PM
1 Kudo
‎09-27-2016 07:47 PM
1 Kudo
@Adi Jabkowsky please check hdfs groups <user-id> resolve to fetch the user and it groups. if not hadoop user group mapping is not correct. you might need to check how at OS level user / group are synced ( e.g.SSSD) ... View more

Re: Securing Solr for Ranger Audit Logs

by Super Collaborator Super Collaborator in Support Questions
‎09-23-2016 08:11 PM
1 Kudo
‎09-23-2016 08:11 PM
1 Kudo
@Eyad Garelnabi Secure solr support is already in HDP-2.4.3.0-tag HDP-2.3.6.0-tag ... View more

Re: REST API URL to change the user role in Ranger...

by Super Collaborator Super Collaborator in Support Questions
‎09-02-2016 10:21 PM
‎09-02-2016 10:21 PM
@mrizvi Please use /service/users end point and for update use PUT. curl -u admin:admin -X PUT -H "Accept: application/json" -H "Content-Type: application/json" http://`hostname -f`:6080/service/users -d @test.json where test.json is your json pay-load. ... View more

Re: Create HDFS/Hive User via Ranger

by Super Collaborator Super Collaborator in Support Questions
‎07-13-2016 10:14 PM
1 Kudo
‎07-13-2016 10:14 PM
1 Kudo
Ranger does not have any facility to create hadoop users in the nodes. If there are hadoop users which you want to authorize you can use Ranger Usersync to bring those into Ranger or in Ranger Admin UI you can create that user ( Settings-->Users/Groups-->Add new user) like kvarakantham had mentioned in the previous post. This enables you to create policy against those users. ... View more

Re: Presto and Ranger

by Super Collaborator Super Collaborator in Support Questions
‎06-17-2016 09:25 PM
‎06-17-2016 09:25 PM
@Bhanu Pittampally Ranger doesn't have plugin for Presto, saying so audit related to Presto wont be there in Ranger Auditing. Regarding the question on how Presto is allowed to acess hdfs and hive, there might be global policies defined in ranger allowing it to happend if Ranger Hdfs and Hive Plugin is enabled in your environment. Do you see audit log in ranger audit for hdfs when you do Hdfs operation via Presto? Check with user is getting authorized. This also happens only when you have Ranger hdfs plugin is enabled and auditing is done for the resource. Same with Hive case also. ... View more
Contact Me
Online
Offline
Last Visited
‎05-23-2025 08:40 PM
Community Statistics
Member Since ‎09-25-2015 05:12 PM
Last Visited ‎05-23-2025 08:40 PM
Posts 93
Kudos received 65