Configuring a Ranger audit filter policy
You can configure an audit filter as you add or edit a resource- or tag-based service.
To configure an audit filter policy:
- In clcik Add or Edit for either a resource-, or tag-based service.
- Scroll down to Audit Filter.
- Click Audit Filter flag.
You configure a Ranger audit filter policy by adding (+), deleting (X), or modifying each audit filter row for the service.
- Use the controls in the filter row to edit filter properties. For example, you can
configure:
- Is Audited: choose Yes or No
- to include or not include a filter in the audit logs for a service
- Access Result: choose DENIED, ALLOWED, or NOT_DETERMINED
- to include that access result in the audit log filter
- Resources: Add or Delete a resource item
- to include or remove the resource from the audit log filter
- Operations: Add or Remove an action name
- to include the action/operation in the audit log filter
- Permissions: Add or Remove permissions
-
- Click + in Permissions to open the Add dialog.
- Select/Unselect required permissions.
- Users: click Select User to see a list of defined users
- to include one or multiple users in the audit log filter
- Groups: click Select Group to see a list of defined groups
- to include one or multiple groups in the audit log filter
- Roles: click Select Role to see a list of defined roles
- to include one or multiple roles in the audit log filter
Audit filter details
-
When you save the UI selections described in the preceding list, audit filters are defined as a JSON list. Each service references a unique list.
- For example,
ranger.plugin.audit.filtersfor the HDFS service includes:[ { "accessResult":"DENIED", "isAudited":true }, { "users":[ "unaudited-user1" ], "groups":[ "unaudited-group1" ], "roles":[ "unaudited-role1" ], "isAudited":false }, { "actions":[ "listStatus", "getfileinfo" ], "accessTypes":[ "execute" ], "isAudited":false }, { "resources":{ "path":{ "values":[ "/audited" ], "isRecursive":true } }, "isAudited":true }, { "resources":{ "path":{ "values":[ "/unaudited" ], "isRecursive":true } }, "isAudited":false } ] - Each value in the list is an audit filter, which takes the format of a simplified Ranger policy, along with access results fields.
- Audit filters are defined with rules on Ranger policy attributes and access result
attributes.
- Policy attributes: resources, users, groups, roles, accessTypes
- Access result attributes: isAudited, actions, accessResult
-
The following audit filter specifies that accessResult=DENIED will be audited.
The
isAuditedflag specifies whether or not to audit.{"accessResult":"DENIED","isAudited":true} - The following audit filter specifies that “resource => /unaudited” will not be audited.
{"resources":{"path":{"values":["/unaudited"],"isRecursive":true}},"isAudited":false} - The following audit filter specifies that access to resource database=> sys table=>
dump by user “use2” will not be audited.
{"resources":{"database":{"values":["sys"]},"table":{"values":["dump"]}},"users":["user2"],"isAudited":false} - The following audit filter specifies that access result in actions => listStatus,
getfileInfo and accessType => execute will not be audited.
{"actions":["listStatus","getfileinfo"],"accessTypes":["execute"],"isAudited":false} - The following audit filter specifies that access by user "superuser1" and group
"supergroup1" will not be audited.
{"users":["superuser1"],"groups":["supergroup1"],"isAudited":false} - The following audit filter specifies that access to any resource tagged as
NO_AUDITwill not be audited.{"resources":{"tag":{"values":["NO_AUDIT"]}},"isAudited":false}
