Linux-UNIX: FAQs Hortonworks Ranger configuration

Read answers to the most asked questions about the Hortonworks Ranger configuration.

What Hadoop service components connect to the S-TAP®?
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_command-line-installation/content/installing_ranger_plugins.html lists where the Ranger plug-ins are installed for each Hadoop service. These plug-ins are what connect to the S-TAP.
Can multiple STAPs be configured per Hadoop service?
It depends. The Ranger plug-ins for the service connect to the S-TAP. If your HDFS service has only a single NameNode, there can be only one connection for that service. If there are multiple components with Ranger plug-ins (for example, HBASE, which has the Ranger plug-ins on the Master server, and on every Region server), multiple connections can be made. The main issue is that all components of the Hadoop service share one configuration. As a result, the remote host parameter of the Guardium® log4j logger is the same. One option is to put "localhost" as the host to log to and install an S-TAP on every node that has a Ranger plug-in for that service. Another option is to use DNS round robin to have each plug-in connect to a different S-TAP. Another option is to use configuration groups to specify different Guardium log4j logger remote hosts for the different Hadoop service components.
Why does the x service show up in reports for the y service?
Hadoop services often utilize each other for various functions. It is normal to see references to other Hadoop services in reports.
What is missing if the Ranger plug-in for x service is not configured?
All audits related to that service are not logged.
Can Ranger policies be configured in a way to filter audits to S-TAP while retaining audits in Ranger?
No. If actions match a Ranger policy and that policy has auditing enabled, the audit goes to all audit destinations.
Is an inspection engine needed for Hortonworks integration?
No. Inspection engines are not needed for Hadoop services that use the integration to send audits.
The Guardium UI is showing monitoring enabled, but the Ranger plug-ins are not installed yet. What is happening?
Guardium checks only that the Guardium log4j logger exists in the Hadoop service logging configuration. It does not check whether the Ranger plug-ins are installed, or if the Ranger repository and policies exist.