Enabling auditing using the Big SQL Ranger plugin

When the Big SQL Ranger plugin is used to control access to tables and views Ranger can audit all access to those objects. You can select HDFS or Solr as an audit destination. Use these steps to enable and configure auditing using the Big SQL Ranger plugin. For information about auditing using the Db2 audit facility see admin_audit_config.html#admin_audit_config.

To enable Ranger auditing:

1. In Ambari, select the Ranger service and navigate to Configs > Ranger Audit.
   
2. If you select to Audit to HDFS, set the destination HDFS directory. The default is hdfs://<host>:8020/ranger/audit.
   Note that Audit to HDFS audits do not show up on the Ranger Admin UI. You must go to the destination HDFS directory to find these audits.
3. You can also select to Audit to Solr.
   In order to use Audit to Solr:

   1. Enable both Audit to Solr and SolrCloud by clicking on the respective buttons.
      Note: Audit to Solr has to be enabled before enabling the Ranger Solr plugin. If they are both enabled simultaneously, Solr does not start as the ranger_audits collection cannot be created.
   2. After enabling Audit to Solr and SolrCloud, you can set the ranger.audit.solr.zookeepers URL. The default is <host>:2181/solr.
   3. Save your configuration changes.
   4. In order to enable Audit to Solr for the Ranger plugins, you need to manually set the xasecure.audit.destination.solr.zookeepers parameter. Go to the corresponding plugin component, such as HDFS > Configs and set the parameters as shown:
      • xasecure.audit.destination.solr.zookeepers = <host>:2181/solr
      where <host>:2181/solr is the same value that is set on Ranger for ranger.audit.solr.zookeepers.

      If there are multiple zookeeper URLs, the /solr should be added only to the end of the last one. For example: <host1>:2181,<host2>:2181,<host3>:2181/solr.

   5. Save all configuration changes and restart the Ranger, Solr, and HDFS services.

   When Audit to Solr is enabled, you will be able to see audits on the Solr Admin UI if you query for ranger_audits, as shown below:

   

   In order to also access the audits on the Ranger Audit page, ensure that the ranger user is given access under the Solr policy.

   Audit Configuration Specifics
   Make a note of the following important requirements for using Ranger audit:

   1. If you change the directories or URLs for audit to Solr or HDFS on Ambari > Ranger > Configs > Ranger Audit, then you must manually make the change for the plugins' components Ambari configuration page.

      For example, if you change the value for ranger.audit.solr.zookeepers or the Destination HDFS Directory (corresponding to xasecure.audit.destination.hdfs.dir) then for the plugins, go to its respective Ambari configurations (i.e., Ambari > HDFS) and manually update the parameter's value.

   2. If NameNode HA is enabled and the Destination HDFS Directory will reference the NameNode host, use the nameservice alias instead.
   3. In order to avoid a problem where event times are not being logged correctly due to a timezone difference, you can create a file named ranger-admin-env-javaopts.sh in path /usr/hdp/current/ranger-admin/conf/, with the following entry:

      export JAVA_OPTS=" ${JAVA_OPTS} -Duser.timezone=UTC

      Then, save the file and restart the Ranger admin service.

   Tip: As a troubleshooting tip, if you notice the SolrCore is locked by error messages like {{core}} : {{error}} on the Solr AdminUI and in the logs found in /var/log/solr you see error messages like (lockType=hdfs) Throwing exception, or if you get an Unable to connect to Audit store!! message on the Ranger UI, the HDFS cores have write locks on them and you can remove the write lock found in HDFS in your apps/solr/collections../index/write.lock, and then restart HDFS and Solr.