Hadoop Security Guide
Also available as:
PDF

Save Audits to HDFS

There are no configuration changes needed for Ranger properties.

To save Ranger KMS audits to HDFS, set the following properties in the Advanced ranger-kms-audit list.

Note: the following configuration settings must be changed in each Plugin.

  1. Check the box next to Enable Audit to HDFS in the Ranger KMS component.

  2. Set the HDFS path to the path of the location in HDFS where you want to store audits:

    xasecure.audit.destination.hdfs.dir = hdfs://NAMENODE_FQDN:8020/ranger/audit

  3. Check the Audit provider summary enabled box, and make sure that xasecure.audit.is.enabled is set to true.

  4. Make sure that the plugin's root user (kms) has permission to access HDFS Path hdfs://NAMENODE_FQDN:8020/ranger/audit

  5. Restart Ranger KMS.

  6. Generate audit logs for the Ranger KMS.

  7. (Optional) To verify audit to HDFS without waiting for the default sync delay (approximately 24 hours), restart Ranger KMS. Ranger KMS will start writing to HDFS after the changes are saved post-restart.

To check for audit data:

hdfs dfs -ls /ranger/audit/

To test Ranger KMS audit to HDFS, complete the following steps:

  1. Under custom core-site.xml, set hadoop.proxyuser.kms.groups to “*” or to the service user.

  2. In the custom kms-site file, add hadoop.kms.proxyuser.keyadmin.users and set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)

  3. In the custom kms-site file, add hadoop.kms.proxyuser.keyadmin.hosts and set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)

  4. Copy the core-site.xml to the component’s class path (/etc/ranger/kms/conf)

    OR

    link to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf (ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml)

  5. Verify the service user principal. (For Ranger KMS it will be the http user.)

  6. Make sure that the component user has permission to access HDFS. (For Ranger KMS the http user should also have permission.)