There are no configuration changes needed for Ranger properties.
To save Ranger KMS audits to HDFS, set the following properties in the Advanced ranger-kms-audit list.
Note: the following configuration settings must be changed in each Plugin.
Check the box next to
Enable Audit to HDFSin the Ranger KMS component.Set the HDFS path to the path of the location in HDFS where you want to store audits:
xasecure.audit.destination.hdfs.dir = hdfs://NAMENODE_FQDN:8020/ranger/auditCheck the
Audit provider summary enabledbox, and make sure thatxasecure.audit.is.enabledis set to true.Make sure that the plugin's root user (
kms) has permission to access HDFS Pathhdfs://NAMENODE_FQDN:8020/ranger/auditRestart Ranger KMS.
Generate audit logs for the Ranger KMS.
(Optional) To verify audit to HDFS without waiting for the default sync delay (approximately 24 hours), restart Ranger KMS. Ranger KMS will start writing to HDFS after the changes are saved post-restart.
To check for audit data:
hdfs dfs -ls /ranger/audit/
To test Ranger KMS audit to HDFS, complete the following steps:
Under custom core-site.xml, set
hadoop.proxyuser.kms.groupsto “*” or to the service user.In the custom kms-site file, add
hadoop.kms.proxyuser.keyadmin.usersand set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)In the custom kms-site file, add
hadoop.kms.proxyuser.keyadmin.hostsand set its value to "*". (If you are not using keyadmin to access Ranger KMS Admin, replace “keyadmin” with the user account used for authentication.)Copy the core-site.xml to the component’s class path (
/etc/ranger/kms/conf)OR
link to
/etc/hadoop/conf/core-site.xmlunder/etc/ranger/kms/conf(ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml)Verify the service user principal. (For Ranger KMS it will be the
httpuser.)Make sure that the component user has permission to access HDFS. (For Ranger KMS the
httpuser should also have permission.)
