Check the box next to Enable Audit to HDFS in the Ranger KMS component.

Set the HDFS path to the path of the location in HDFS where you want to store audits:

xasecure.audit.destination.hdfs.dir = hdfs://NAMENODE_FQDN:8020/ranger/audit

Check the Audit provider summary enabled box, and make sure that xasecure.audit.is.enabled is set to true.

Make sure that the plugin's root user (kms) has permission to access HDFS Path hdfs://NAMENODE_FQDN:8020/ranger/audit

Restart Ranger KMS.

Generate audit logs for the Ranger KMS.

(Optional) To verify audit to HDFS without waiting for the default sync delay (approximately 24 hours), restart Ranger KMS. Ranger KMS will start writing to HDFS after the changes are saved post-restart.

Under custom core-site.xml, set hadoop.proxyuser.kms.groups to “*” or to the service user.

In the custom kms-site file, add hadoop.kms.proxyuser.keyadmin.users and set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)

In the custom kms-site file, add hadoop.kms.proxyuser.keyadmin.hosts and set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)

Copy the core-site.xml to the component’s class path (/etc/ranger/kms/conf)

OR

link to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf (ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml)

Verify the service user principal. (For Ranger KMS it will be the http user.)

Make sure that the component user has permission to access HDFS. (For Ranger KMS the http user should also have permission.)