Ranger Audit Filters (Technical Preview)

You can use Ranger audit filters to control the amount of audit log data collected and stored on your cluster.

About Ranger audit filters

Ranger audit filters allow you to control the amount of audit log data for each Ranger service. Audit filters are defined using a JSON string that is added to each service configuration. The audit filter JSON string is a simplified form of the Ranger policy JSON.

Ranger audit filters format

Audit filters consist of a subset of Ranger policy attributes, along with access results attributes. These attributes define the audit filter rules.

{'resources':
 {
   'database':{'values':['data','data2']},
   'table':{'values':['*']},
   'column':{'values':['*']}
 },
 'accessTypes':['select','insert'],
 'users':['user1','user2],
 'groups':['no_audit_group'],
 'roles' :['role1','role2'],
 'actions': ['METADATA OPERATION','SHOW_ROLES'],
 'accessResult': 'DENIED' or 'ALLOWED' or 'NOT_DETERMINED' or empty
 'isAudited' : false
}

Ranger audit filters configuration

Ranger audit filters are configured by adding the audit filter JSON string as the value of the ranger.plugin.audit.filters configuration property in each Ranger service.

To configure resource-based audit filters, click the Edit icon for the applicable service in the Ranger Admin web UI. On the Edit Service page, click the Add (+) icon under Add New Configurations, then enter ranger.plugin.audit.filters in the Name box, and enter the audit filter JSON string in the Value box.



To configure tag-based audit filters, click the Edit icon for the applicable tag-based service in the Ranger Admin web UI. On the Edit Service page, click the Add (+) icon under Add New Configurations, then enter ranger.plugin.audit.filters in the Name box, and enter the audit filter JSON string in the Value box.



HDFS service audit filters example:

"serviceConfig": {
   "ranger.plugin.audit.filters": 
   "[
     {'accessResult': 'DENIED', 'isAudited': true},

     {'users': ['unaudited-user1'], 'groups': ['unaudited-group1'], 'roles':['unaudited-role1'], 'isAudited': false}, 

     {'actions': [ 'listStatus', 'getfileinfo' ], 'accessTypes':['execute'], 'isAudited': false}, 

 {'resources':{'path':{'values':['/audited'],'isRecursive':true}},
'isAudited': true},
     
{'resources':{'path':{'values':['/unaudited'],'isRecursive':true}},'isAudited': false} 
     ]"
   }

Hive service audit filters example:

"serviceConfig": {
  	"ranger.plugin.audit.filters":

"[ {'accessResult': 'DENIED', 'isAudited': true},
 {'resources':{'database':{'values':['temp']},'table':{'values':['tempdata']},'column':{'values':['*']}},'isAudited' : false},
 {'resources':{'database':{'values':['sys']},'table':{'values':['dump']}},users':['user2']','isAudited': false }, 

{'actions':['METADATA OPERATION'], 'isAudited': false}, 

{'users':['superuser1'],'groups':['supergroup1'], 'isAudited': false} ]"
}

Tag-based service audit filters example:

"serviceConfig": {
 "ranger.plugin.audit.filters": "[ {'resources':{'tag':{'values':['NO_AUDIT']}},'isAudited': false}, 

{'resources':{'tag':{'values':['SYS_DATA']}},'users':['user1'],
'isAudited':false},

 {'resources':{'tag':{'values':['HIPPA']}},'users':['user1'], 'isAudited':true} ]"
}

Audit filters details

  • As shown in the examples above, audit filters are defined as a JSON list.

  • When adding the JSON string to the Value box in each service configuration, you should only enter the text within the top-level brackets, as ranger.plugin.audit.filters is already set in the Name box in the UI. For the HDFS example above, you would enter:
    [ {'accessResult': 'DENIED', 'isAudited': true},
    
         {'users': ['unaudited-user1'], 'groups': ['unaudited-group1'], 'roles':['unaudited-role1'], 'isAudited': false}, 
    
         {'actions': [ 'listStatus', 'getfileinfo' ], 'accessTypes':['execute'], 'isAudited': false}, 
    
     {'resources':{'path':{'values':['/audited'],'isRecursive':true}},
    'isAudited': true},
         
    {'resources':{'path':{'values':['/unaudited'],'isRecursive':true}},'isAudited': false} ]
  • Each value in the list is an audit filter, which takes the format of a simplified Ranger policy, along with access results fields.
  • Audit filters are defined with rules on Ranger policy attributes and access result attributes.
    • Policy attributes: resources, users, groups, roles, accessTypes
    • Access result attributes: isAudited, actions, accessResult
  • The following audit filter specifies that accessResult=DENIED will be audited. The isAudited flag specifies whether or not to audit.
    {'accessResult': 'DENIED', 'isAudited': true}
  • The following audit filter specifies that “resource => /unaudited” will not be audited.
    {'resources':{'path':{'values':['/unaudited'],'isRecursive':true},
    'iAudited': false}
  • The following audit filter specifies that access to resource database=> sys table=> dump by user “use2” will not be audited.
    {'resources':{'database':{'values':['sys']},'table':{'values':dump']},
    'users':['user2'],'isAudited': false }
  • The following audit filter specifies that access result in actions => listStatus, getfileInfo and accessType => execute will not be audited.
    {{'actions': [ 'listStatus', 'getfileinfo' ], 'accessTypes':['execute'], 'isAudited': false}
  • The following audit filter specifies that access by user "superuser1" and group "supergroup1" will not be audited.
    {'users':['superuser1'],'groups':['supergroup1'], 'isAudited': false}
  • The following audit filter specifies that access to any resource tagged as NO_AUDIT will not be audited.
    {'resources':{'tag':{'values':['NO_AUDIT']}},'isAudited': false}

Default audit filters

You can create default audit filters for each Ranger service, which can then be modified as needed by Admin users.

HDFS service:

"ranger.plugin.audit.filters": 
"[ {'accessResult': 'DENIED', 'isAudited': true}, 
{'resources':{'path':{'values':['*/hive-staging','*/staging', '*/sparkStaging', 
'*/_impala_insert_staging', '/user/history/done_intermediate','/user/spark/spark2ApplicationHistory',
'/user/spark/ApplicationHistory', '/user/hue/.cloudera_manager_hive_metastore_canary',
'/user/hue/.Trash/Current/user/hue/.cloudera_manager_hive_metastore_canary',
'/tmp', '/user/oozie/share/lib', '/hbase/archive', '/hbase/oldWALs', '/hbase/MasterProcWALs'],
'isRecursive':true}}, 'isAudited': false}, {'actions':['delete','rename*'],'isAudited':true}, 
{'users':['cloudera-scm','dr.who','hbase','hive','impala','mapred','solr','spark', 'hue'], 
'isAudited':false}, {'users':['hdfs'], 'actions': ['listStatus', 'getfileinfo', 'listCachePools',
'listCacheDirectives'], 'isAudited': false}, {'actions': ['getfileinfo'], 'isAudited':true} ]"       

HBase service:

"ranger.plugin.audit.filters":"[{'resources':{'table':{'values':['*-ROOT-*','*.META.*', '*_acl_*', 
'hbase:meta', 'hbase:acl']}}, 'isAudited': false }, {'resources':{'table':{'values':['atlas_janus',
'ATLAS_ENTITY_AUDIT_EVENTS']},'column-family':{'values':['*']},'column':{'values':['*']}},
'isAudited':false},{'users':['hbase'], 'actions':['balance'],'isAudited':false}]"

Hive service:

"ranger.plugin.audit.filters": "[ {'accessResult': 'DENIED', 'isAudited': true}, {'accessTypes':['_any'],
'isAudited':false}, {'actions':['METADATA OPERATION'], 'isAudited': false}, {'users':['hive','hue'],
'actions':['SHOW_ROLES'],'isAudited':false} ]"

Kafka service:

"ranger.plugin.audit.filters":"[{'resources':{'consumergroup':{'values':['atlas','ranger_entities_consumer']}},
'isAudited':false},{'resources':{'topic':{'values':['ATLAS_*']}},'isAudited':false},{'users':['rangertagsync',
'kafka','atlas'],'isAudited':false}]"

ADLS service:

"ranger.plugin.audit.filters": "[ {'accessResult': 'DENIED', 'isAudited': true}, 
{'users':['hive','hdfs','zeppelin','hbase','solr','kafka'],'isAudited':false} ]"