Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Manually Updating Ambari HDFS Audit Settings

[Note]Note

HDFS audits are enabled by default in the standard Ranger Ambari installation procedure, and are activated automatically when Ranger is enabled for a plugin.

The following steps show how to save Ranger audits to HDFS for HBase. You can use the same procedure for other components.

  1. From the Ambari dashboard, select the HBase service. On the Configs tab, scroll down and select Advanced ranger-hbase-audit. Select the Audit to HDFS check box.

  2. Set the HDFS path where you want to store audits in HDFS:

    xasecure.audit.destination.hdfs.dir = hdfs://$NAMENODE_FQDN:8020/ranger/audit

    Refer to the fs.defaultFS property in the Advanced core-site settings.

    [Note]Note

    For NameNode HA, NAMENODE_FQDN is the cluster name. In order for this to work, /etc/hadoop/conf/hdfs-site.xml needs to be linked under /etc/<component_name>/conf.

  3. Enable the Ranger plugin for HBase.

  4. Make sure that the plugin sudo user should has permission on the HDFS Path:

    hdfs://NAMENODE_FQDN:8020/ranger/audit

    For example, we need to create a Policy for Resource : /ranger/audit, all permissions to user hbase.

  5. Save the configuration updates and restart HBase.

  6. Generate some audit logs for the HBase component.

  7. Check the HFDS component logs on the NameNode:

    hdfs://NAMENODE_FQDN:8020/ranger/audit

[Note]Note

For a secure cluster, use the following steps to enable audit to HDFS for Storm, Kafka, and Knox:

  • In core-site.xml set the hadoop.proxyuser.<component>.groups property with value “ * ” or service user.

  • For the Knox plugin there is one additional property to add to core-site.xml. Add hadoop.proxyuser.<component>.users property with value “ * ” or service user (i.e knox).

  • For Kafka and Knox, link to /etc/hadoop/conf/core-site.xml under /etc/<component_name>/conf. For Storm, link to /etc/hadoop/conf/core-site.xml under /usr/hdp/<version>/storm/extlib-daemon/ranger-storm-plugin-impl/conf.

  • Verify the service user principal.

  • Make sure that the component user has permissions on HDFS.