...
a. Lay down the build into appropriate places. Let’s start with the Ranger web admin first.
Code Block |
---|
cd /usr/local |
...
sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-admin.tar.gz |
...
sudo ln -s ranger-0.5.0-admin ranger- |
...
admin cd /usr/local/ |
...
rangeradmin
|
b. Verify the root password that you had picked while installing mysql. I had chosen root so the relevant section in my install.properties file looks as follows:
Code Block |
---|
db_root_user= |
...
root db_root_password=root |
...
db_host= |
...
localhost
|
c.The
...
install
...
process
...
would
...
create
...
a
...
couple
...
of
...
users
...
in
...
the
...
database
...
for
...
storing administration
...
and
...
audit
...
information,
...
pick
...
passwords
...
for
...
those
...
too.
...
With
...
my choices
...
here’s
...
how
...
the
...
relevant
...
sections
...
in
...
the
...
install.properties
...
file
...
look
...
now.
Code Block | ||
---|---|---|
| ||
# DB UserId used for the XASecure schema # db_name=ranger db_user=rangeradmin db_password=rangeradmin # DB UserId for storing auditlog infromation # audit_db_name=ranger audit_db_user=rangerlogger audit_db_password=rangerlogger |
...
Configuring Ranger Admin Authentication Modes :
- AD ACTIVE DIRECTORY
To enable active directory authentication on Ranger admin, you need to configure following properties of install.properties
...
c. Configure a load balancer to load balance among ranger admin instances and note down the load balancer URL. * Software
- Software (e.g. Apache httpd) or hardware load balancer could be used.
- Details outside the scope of this document.
* Details outside the scope of this document. d. Update the policy manager external URL in all the clients of ranger admin (ranger user sync and ranger plugins) to point to the load balancer URL.
...
a. We’ll start by extracting out build at the appropriate place.
Code Block |
---|
cd /usr/local |
...
sudo tar zxvf ~/dev/ incubator-ranger/target/ranger-0.5.0-usersync.tar.gz |
...
sudo ln -s ranger-0.5.0-usersync ranger-usersync |
...
sudo mkdir -p /var/log/ranger- |
...
usersync sudo chown ranger /var/log/ranger- |
...
usersync sudo chgrp ranger /var/log/ranger- |
...
usersync cd |
...
rangerusersyncb. Now let’s edit the install.properties file. Here are the relevant lines that you should edit: |
- POLICY_MGR_URL = http://localhost:6080
- SYNC_SOURCE = unix
- logdir = /var/log/ranger/usersync
c. Now install the usersync by running the setup command
Code Block | ||
---|---|---|
| ||
export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk- |
...
amd64 ./setup. |
...
sh After installing rangerusersync, follow the same steps to start/stop services of usersync work. |
...
./ranger-usersync-services.sh start |
...
|
Configuring Ranger User-Sync process to use LDAP/AD server:
...
Installing Apache Hadoop:
Now let’s download and install hadoop. Following the excellent instructions available on the hadoop site itself. Follow steps given in pseudo distributed mode.
These instructions were written for version 2.7.0. So grab that tar (hadoop2.7.0.tar.gz) and checksum file (hadoop2.7.0.tar.gz.mds).
Instructions on this page ask that java be installed. If java is not there, install JDK first.
Code Block sudo yum install java-1.7.0-openjdk-devel
Make note of the location where you installed hadoop. Here I assume that you have installed it in
Code Block /usr/local/hadoop
Create a user under which we could install and ultimately run the various hadoop processes. And login as that user.
Code Block sudo useradd --home-dir /var/hadoop --create-home --shell /bin/bash --user-group hadoop
...
- if you get below given message then try next command
Code Block |
---|
sudo useradd --home-dir /var/hadoop --create-home --shell /bin/bash hadoop -g hadoop |
...
Code Block |
---|
sudo tar |
...
zxvf ~/dev/hadoop-2.7.0.tar.gz -C /usr/local |
...
cd /usr/local |
...
sudo ln -s hadoop-2.7.0 hadoop |
...
sudo chown hadoop -R hadoop hadoop-2.7.0 |
...
sudo chgrp hadoop -R hadoop hadoop-2.7. |
...
0
|
TO ADD HDFS USER
Code Block useradd hdfs to check whether user hadoop login works, try: sudo su hadoop
TO ADD HDFS USER
useradd hdfs
- to check whether user hadoop login works, try: sudo su hadoop
- Enabling Ranger HDFS Plugins:
a. We’ll start by extracting our build at the appropriate place (/usr/local).
Code Block |
---|
cd /usr/local |
...
sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-hdfs-plugin.tar.gz |
...
sudo ln -s ranger-0.5.0-hdfs-plugin ranger-hdfs-plugin |
...
cd ranger-hdfs- |
...
plugin |
b. Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
- Change the install.properties file
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | |
REPOSITORY_NAME | hadoopdev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
c. Now enable the hdfs-plugin by running the enable-hdfs-plugin.sh command (Remember to set JAVA_HOME)
Note |
---|
Note: Hadoop conf and hadoop lib folder are not found at expected locations as per the script because of which Ranger hdfs plugin installation fails. To resolve this issue create a symlink as conf dir of hadoop linking to hadoop conf dir |
...
Code Block |
---|
...
cd /usr/local/hadoop ln -s /usr/local/hadoop/etc/hadoop/ /usr/local/hadoop/ |
...
conf |
Export HADOOP_HOME to bashrc
--> echo "export HADOOP_HOME=/usr/local/hadoop" >> /etc/bashrc
cd /usr/local/ranger-hdfs-plugin
./ enable-hdfs-plugin.sh
One more change that we need to do is copy all the jar files from ${hadoop_home}/lib
-->cp /usr/local/hadoop/lib/*.jar /usr/local/hadoop/share/hadoop/hdfs/lib/
- Provide required permission to logs directory
...
Code Block |
---|
|
...
|
...
|
...
chown root:hadoop /usr/local/hadoop/ |
...
logs |
...
...
|
...
chmod g+w /usr/local/hadoop/ |
...
logs |
- Provide required permission to users in OS file system and hdfs file system
- file system according to your environment and requirement.
d. Once these changes are done Restart hadoop.
Stop NameNode, SecondaryNameNode and DataNode daemon:
Code Block |
---|
...
|
...
|
...
su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh |
...
stop namenode" su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh stop |
...
secondarynamenode" |
...
...
|
...
su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh |
...
stop datanode" |
- Start
- NameNode,
- SecondaryNameNode
- and
- DataNode
- daemon:
Code Block |
---|
...
|
...
su |
...
-l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh start |
...
namenode" |
...
...
|
...
su l hdfs c "/usr/local/hadoop/sbin/hadoop-daemon.sh start |
...
secondarynamenode" |
...
su l hdfs c "/usr/local/hadoop/sbin/hadoop-daemon.sh start |
...
secondarynamenode" |
e. This should start the association of rangerhdfsplugin with hadoop.
You can verify by logging into the Ranger Admin Web interface > Audit > Agents.
Installing Apache Hive(1.2.0):
Let’s download and install apache hive . Following the
...
excellent instructions available on the apache hive site itself
Code Block |
---|
sudo tar xzvf ~/dev/apache-hive-1.2.0-bin.tar.gz -C /usr/local sudo tar xzvf ~/dev/apache-hive-1.2.0-bin.tar.gz -C /usr/local |
...
cd /usr/ |
...
local sudo ln -s apache-hive-1.2.0-bin hive |
...
useradd hive |
...
cd |
...
hive Export HIVE_HOME to |
...
bashrc echo "export HIVE_HOME=/usr/local/hive" >> /etc/bashrc |
...
|
Note |
---|
Note:HiveServer2 doesn’t start unless HADOOP_VERSION is exported to bashrc |
Enabling Ranger Hive Plugin:
- We’ll start by extracting our build at the appropriate place.
Code Block |
---|
cd /usr/local |
...
sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-hive-plugin.tar.gz |
...
sudo ln -s ranger-0.5.0-hive-plugin ranger-hive-plugin |
...
cd ranger-hive- |
...
plugin |
- Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
Change the insall.properties file
PROPERTY VALUE POLICY_MGR_URL REPOSITORY_NAME hivedev XAAUDIT.DB.IS_ENABLED true XAAUDIT.DB.FLAVOUR=MYSQL MYSQL XAAUDIT.DB.HOSTNAME localhost XAAUDIT.DB.DATABASE_NAME ranger_audit XAAUDIT.DB.USER_NAME rangerlogger XAAUDIT.DB.PASSWORD rangerlogger
c. Now enable the hive-plugin by running the enable-hive-plugin.sh command (Remember to set JAVA_HOME)
Code Block |
---|
cd /usr/local/ranger-hive-plugin |
...
./enable-hive-plugin. |
...
sh |
d. Once these changes are done Restart hive. This should start the association of ranger-hive-plugin with hive.
You can verify by logging into the Ranger Admin Web interface > Audit Tab > Agents
e. Provide required permission to users in OS file system and hdfs file system according to your environment and requirement..
Note |
---|
NOTES: If /var/log/hive directory does not exist then create one and assign to user hive. mkdir /var/log/ |
...
hive chown -R hive: hive /var/log/hive |
*Change properties file permission for hive user.
chown -R hive:hadoop /usr/local/apache-hive-1.2.0-bin/conf/hiveserver2-site.xml
chown R hive:hadoop /usr/local/apache-hive-1.2.0-bin/conf/hive-log4j.properties
chown R hive:hadoop /usr/local/apache-hive-1.2.0-bin/conf/hive-site.xml
To start hive metastore :
Code Block |
---|
su -l hive -c "env HADOOP_HOME=/usr/local/hadoop JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk.x86_64 nohup hive --service metastore > /var/log/hive/hive.out 2> /var/log/hive/hive.log &” |
To start Hive server2 :
Code Block |
---|
su -l hive -c "env HADOOP_HOME=/usr/local/hadoop JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk.x86_64 nohup /usr/local/hive/bin/hiveserver2 hiveconf hive.metastore.uris=\" \" > /var/log/hive/hiveServer2.out 2>/var/log/hive/hiveServer2.log &”
|
To Stop:
Code Block |
---|
ps aux | awk '{print $1,$2}' | grep hive | awk '{print $2}' | xargs kill >/dev/null 2>&1
|
To Login in Hive shell:
Code Block |
---|
/usr/local/hive/bin/beeline -u "jdbc:hive2://localhost:10000" -n rituser -p rituser |
If hive metastore and hiveserver2 do not start then update below given key-values according to your environment in following files.
hiveserver2site.xml
<configuration> </property> |
---|
hivesite.xml
<property> |
---|
Installing Apache Hbase (1.1.0.1)
Let’s download and install apache Hbase . Following the excellent instructions available on he apache Hbase site itself.
sudo tar xzvf ~/dev/hbase-1.1.0.1-bin.tar.gz -C /usr/local
cd /usr/local
sudo ln -s hbase-1.1.0.1 hbase
useradd hbase
cd hbase
Export HBASE_HOME to bashrc
echo "export HBASE_HOME=/usr/local/hbase" >> /etc/bashrc
For HBase 0.98.5 and later, you are required to set the JAVA_HOME environment variable before starting HBase
Enabling Ranger Hbase Plugins :
We’ll start by extracting our build at the appropriate place.
cd /usr/local
sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-hbase-plugin.tar.
...
gz
sudo ln -s ranger-0.5.0-hbase-plugin ranger-hbase-plugin
cd ranger-hbase-plugin
Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
Change the insall.properties file
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | |
REPOSITORY_NAME | hbasedev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
c. Now enable the hbase-plugin by running the enable-hbase-plugin.sh command (Remember to set JAVA_HOME)
cd /usr/local/ranger-hbase-plugin
./enable-hbase-plugin.sh
d. Once these changes are done Restart hbase. This should start the association of ranger-hbase-plugin with hbase.
You can verify by logging into the Ranger Admin Web interface > Audit Tab > Agents
e. To Stop master and regionserver try:
/usr/local/hbase/bin/hbase-daemon.sh stop master
/usr/local/hbase/bin/hbase-daemon.sh stop regionserver
g. Provide required permission to users in OS file system and hdfs file system according to your environment and requirement.
Installing Apache Knox Gateway:
Let’s download and install apache Knox from Apache Mirrors.
sudo tar -zxvf ~/dev/knox-0.6.0.-tar.gz -C /usr/local
cd /usr/local
sudo ln -s knox-0.6.0 knox
cd knox
2. Following the instructions available on the apache knox site itself (To install Apache Knox Gateway).
Knox Master Secret : knox
Enabling Range Knox Plugins:
We’ll start by extracting our build at the appropriate place.
cd /usr/local
tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-knox-plugin.tar.gz
sudo ln -s ranger-0.5.0-knox-plugin ranger-knox-plugin
cd ranger-knox-plugin
Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
Change the insall.properties file
PROPERY | VALUE |
---|---|
POLICY_MGR_URL | |
REPOSITORY_NAME | knoxdev |
KNOX_HOME | /usr/local/knox |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
Now enable the knoxplugin by running the enable-knox-plugin.sh command (Remember to set JAVA_HOME)
cd /usr/local/ranger-knox-plugin
./enable-knox-plugin.sh
Once these changes are done Restart Knox ( Gateway / LDAP )
if you get permission denied error during knox start please provide required privileges to knox user. for example :
chown R knox:knox /usr/local/knox/data
chown R knox:knox /usr/local/knox/logs
chown R knox:knox /usr/local/knox/pids
chown R knox:hadoop /usr/local/knox/pids/*
You can verify by logging into the Ranger Admin Web interface > Audit > Agents
Trusting Self Signed Knox Certificate:
When Knox is listening on its SSL port with self signed certificate, you have to import SSL certificate of Knox into truststore used by XA PolicyManager. Here are steps for importing Knox SSL certificate in truststore used by XA PolicyManager.
Log in the machine running Knox
Export knox certificate
cd $GATEWAY_HOME/data/security/keystores
This is typically /usr/local/knox/data/security/keystores on Linux machine.
keytool -exportcert -alias gateway-identity -keystore gateway.jks -file knox.crt
Copy knox.crt file onto machine running Ranger Admin/PolicyManager to a working directory, for example /usr/local/ranger-admin
Replicate cacerts
cd /usr/local/ranger-admin
cp $JAVA_HOME/jre/lib/security/cacerts cacertswithknox
5. Import Knox certificate into the replicated new keystore
keytool -import -trustcacerts -file <knox.crt created above> -alias knox -keystore cacertswithknox
password: changeit
6. Edit /usr/local/ranger-admin/ews/ranger-admin-services.sh
Add parameter -Djavax.net.ssl.trustStore=<path to the cacertswithknox> to the java call in the script.
7. Restart Ranger Admin/PolicyManager.
Installing Apache Storm (0.10.0):
Let’s download and install apache Storm from Apache Mirrors
sudo tar -zxvf ~/dev/apache-storm-0.10.0-beta1.tar.gz -C /usr/local
cd /usr/local
sudo ln -s apache-storm-0.10.0beta1 storm
cd storm
2. Following the instructions available on the apache storm site itself(To install Apache Storm).
Enabling Ranger Storm Plugins:
We’ll start by extracting our build at the appropriate place.
cd /usr/local
tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-storm-plugin.tar.gz
sudo ln -s ranger-0.5.0-storm-plugin ranger-storm-plugin
2. Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
Change the insall.properties file
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | |
REPOSITORY_NAME | stormdev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | XAAUDIT.DB.PASSWORD=rangerlogger |
3. Now enable the storm-plugin by running the enable-storm-plugin.sh command (Remember to set JAVA_HOME)
cd /usr/local/ranger-storm-plugin
./enable-storm-plugin.sh
Once these changes are done Restart Storm
You can verify by logging into the Ranger Admin Web interface > Audit > Agents
Installing Apache Yarn:
You can run a MapReduce job on YARN in a pseudodistributed mode by setting a few parameters and running ResourceManager daemon and NodeManager daemon in addition
The following instructions assume that hadoop installations steps mentioned in Installing Apache Hadoop are already executed.
Enabling Ranger Yarn Plugin:
We’ll start by extracting our build at the appropriate place (/usr/local).
cd /usr/local
...
sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-yarn-plugin.tar.gz
sudo ln -s ranger-0.5.0-yarn-plugin ranger-yarn-plugin
cd ranger-yarn-plugin
2. Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
Change the install.properties file
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | |
REPOSITORY_NAME | yarndev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
3. Now enable the yarn-plugin by running the enable-yarn-plugin.sh command.
cd /usr/local/ranger-yarn-plugin
./ enable-yarn-plugin.sh
4. One more change that we need to do is copy all the jar files from ${hadoop_home}/lib
cp /usr/local/ranger-yarn-plugin/lib/*.jar /usr/local/hadoop/share/hadoop/yarn/lib/
5. if you get permission denied error during yarn start please provide required privileges to yarn user in local and hdfs file system. for example :
mkdir /var/log/yarn
chown -R yarn:yarn /var/log/yarn
6. Once these changes are done Start ResourceManager daemon and NodeManager daemon.
Start the ResourceManager on ResourceManager hosts.
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh start resourcemanager"
ps -ef | grep -i resourcemanager
Start the NodeManager on NodeManager hosts.
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh start nodemanager"
ps -ef | grep -i nodemanager
Stop the ResourceManager on ResourceManager hosts.
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh stop resourcemanager"
ps -ef | grep -i resourcemanager
Stop the NodeManager on NodeManager hosts.
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh stop nodemanager"
ps -ef | grep -i nodemanager
7. This should start the association of ranger-yarn-plugin with hadoop.
You can verify by logging into the Ranger Admin Web interface > Audit > Agents
Installing Ranger KMS (0.5.0)
Prerequisites: (Need to done for all host on which Ranger KMS needs to be installed)
Download “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” zip using below link depending upon the Java version used
http://www.oracle.com/technetwork/java/javase/downloads/jce-7download-432124.html
http://www.oracle.com/technetwork/java/javase/downloads/jce8download2133166.html
...
2. unzip the above downloaded zip file to java’s security folder (Depending upon the java version used)
Code Block |
---|
unzip UnlimitedJCEPolicyJDK7.zip into $JDK_HOME/jre/lib/security unzip jce_policy-8.zip into $JDK_HOME/jre/lib/security |
3. STEPS FOR RANGER KMS:
We’ll start by extracting our build at the appropriate place(/usr/local).
cd /usr/local
sudo tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-kms.tar.gz
sudo ln -s ranger-0.5.0-kms ranger-kms
cd ranger-kms
Please note that Ranger KMS plugin is integrated with Ranger KMS and will be installed automatically when KMS is installed.
Now let’s edit the install.properties file. Here are the relevant lines that you should edit
...
:
Change the install.properties file
DB_FLAVOR
SQL_CONNECTOR_JAR
db_root_user
db_root_password
db_host
db_name
db_user
db_password
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | |
REPOSITORY_NAME | kmsdev |
KMS_MASTER_KEY_PASSWD | enter master key password |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
Edit “hdfs-site.xml”( Need to give provider else it will not support hadoop commands)
Replace localhost with <internal host name>
Go to path cd /usr/local/hadoop/conf/
vim hdfssite.xml
For property “dfs.encryption.key.provider.uri” ,enter the value “kms://http@<internal host name>:9292/kms”
save and quit
Edit “coresite.xml”( Need to give provider else it will not support hadoop commands)
Replace localhost with <internal host name>
Go to path cd /usr/local/hadoop/conf/
vim coresite.xml
For property “hadoop.security.key.provider.path” ,enter the value “kms://http@<internal host name>:9292/kms”
Once these changes are done Restart hadoop.
Stop NameNode, SecondaryNameNode and DataNode daemon:
su -l hdfs -c "/usr/local/hadoop/sbin/hadoopdaemon.sh stopnamenode"
su -l hdfs -c "/usr/local/hadoop/sbin/hadoopdaemon.sh startnamenode"
Run setup
./setup.sh
Start the kms server
ranger-kms start
You can verify the plugin is communicating to Ranger admin in Audit->plugins tab.
If kmsdev service is not created in Ranger Admin then kms-plugin will not able to connect to Ranger admin.
To Create the Kms service
PROPERTY | VALUE |
---|---|
REPOSITORY_NAME | name specified in installed.properties (e.g |
KMS URL | kms://http@<internal host name>:9292/kms |
Username | <username> (for e.g keyadmin) |
Password | <password> |
Check Test Connection.
ENABLING AUDIT LOGGING TO HDFS:
To enable Audit to HDFS for a plugin do the below:
set XAAUDIT.HDFS.ENABLE = true for respective component plugin in the install.properties file which may be found in /usr/local/ranger<component>plugin/ directory.
configure NameNode host in the XAAUDIT.HDFS.HDFS_DIR.
create a policy in HDFS service from Ranger Admin for individual component users (hive/hbase/knox/storm/yarn/kafka/kms) to give READ+ WRITE permission for the particular audit folder. i.e for enabling Hive component to log Audits to HDFS , we need to create a policy for hiveuser with READ+ WRITE permissions to respective audit directory
Audit to HDFS caches logs in local directory, which can be specified in XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY ( this can be like ‘/var/log/<component>/**), which is the path where audit is stored temporarily, likewise for archived logs we need to update XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY value ( this can be like ‘/var/log/<component>/**), before enabling the plugin for the component.
Note that, HDFS audit logging is for archive purposes. For seeing audit report in the Ranger Admin UI, recommended option is Solr.
ENABLING AUDIT LOGGING TO SOLR:
Set following properties in install.properties of ranger service to work audit to solr in Ranger
PROPERTIES | VALUE |
---|---|
audit_store | solr |
audit_solr_urls | |
audit_solr_user | ranger_solr |
audit_solr_password | NONE |
Restart Ranger.
To enable Audit to Solr for a plugin do the below:
Set following properties in install.properties of plugin to start logging audit to Solr : for eg Hbase
PROPERTY | VALUE |
---|---|
XAAUDIT.SOLR.IS_ENABLED | true |
XAAUDIT.SOLR.ENABLE | true |
XAAUDIT.SOLR.URL | |
XAAUDIT.SOLR.USER | ranger_solr |
XAAUDIT.SOLR.PASSWORD | NONE |
XAAUDIT.SOLR.FILE_SPOOL_DIR | var/log/hadoop/hdfs/audit/solr/spool |
Enable ranger plugin for Hbase.
Restart Hbase component.