Configuring Apache HDFS Encryption
Also available as:
PDF
loading table of contents...

Save Audits to HDFS

How to save audits to HDFS, when enabling Ranger KMS Audit.

There are no configuration changes needed for Ranger properties.

To save Ranger KMS audits to HDFS, set the following properties in the Advanced ranger-kms-audit list.

Note
Note
The following configuration settings must be changed in each Plugin.
  1. Check the box next to Enable Audit to HDFS in the Ranger KMS component.
  2. Set the HDFS path to the path of the location in HDFS where you want to store audits: xasecure.audit.destination.hdfs.dir = hdfs://NAMENODE_FQDN:8020/ranger/audit.
  3. Check the Audit provider summary enabled box, and make sure that xasecure.audit.is.enabled is set to true.
  4. Make sure that the plugin's root user (kms) has permission to access HDFS Path hdfs://NAMENODE_FQDN:8020/ranger/audit.
  5. Restart Ranger KMS.
  6. Generate audit logs for the Ranger KMS.
  7. (Optional) To verify audit to HDFS without waiting for the default sync delay (approximately 24 hours), restart Ranger KMS. Ranger KMS will start writing to HDFS after the changes are saved post-restart.
  8. To check for audit data: hdfs dfs -ls /ranger/audit/.
  9. Test Ranger KMS audit to HDFS:
    1. Under custom core-site.xml, set hadoop.proxyuser.kms.groups to “*” or to the service user.
    2. In the custom kms-site file, add hadoop.kms.proxyuser.keyadmin.users and set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)
    3. In the custom kms-site file, add hadoop.kms.proxyuser.keyadmin.hosts and set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)
    4. Choose:
      • Copy the core-site.xml to the component’s class path (/etc/ranger/kms/conf)
      • Link to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf (ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml)
    5. Verify the service user principal. (For Ranger KMS it will be the http user.)
    6. Make sure that the component user has permission to access HDFS. (For Ranger KMS the http user should also have permission.)