Learn how to configure the S-TAP for Ranger HDFS integration.
Before you begin
Verify the following before you start:
- A functional Hortonworks cluster with Ranger installed and properly configured or a Cloudera Data
Platform 7.x cluster with Ranger installed and configured. Ranger should be configured with policies
to log all desired operations. Ranger should be configured to log audits to HDFS.
- If HDFS uses Kerberos, you need to specify the path to a keytab and a corresponding principal
(ranger_hdfs_user).
- S-TAP is installed on a cluster node that has the proper HDFS libraries.
- The user with which S-TAP connects to HDFS must have the necessary permissions to read the files
in the Ranger audit directories.
Procedure
-
Install the S-TAP or S-TAPs using the standard procedure for the chosen installer (GIM, shell,
or RPM).
- Browse to , select the S-TAP or
S-TAPs that are and set STAP_RANGER_HDFS_READER_ENABLED=1. (You can also
directly modify the parameter ranger_hdfs_reader_enabled in the
guard_tap.ini and restart the S-TAPs.) This step ensures that only the relevant
S-TAPs
display in the GUI.
- Browse to and click
in the Add cluster information tile.
- Select Ranger HDFS from the Hadoop
distribution drop-down menu.
- From the Host name/IP drop-down list, select the Ambari server
where the S-TAP is installed.
- Configure the following parameters.
Table 1. Parameters for HDFS integration
| GUI |
Default |
Description |
| HDFS audit directories |
NULL |
Comma-separated list of directories where Ranger logs the service audits. Include one directory
that contains the daily log directories, for each service you want to monitor. Usually the paths are
located under /ranger/audit.
Example service directories for CDP 7:
/ranger/audit/hive/hiveServer2,/ranger/audit/kafka/kafka,/ranger/audit/hbase/hbaseMaster,/ranger/audit/hbase/hbaseRegional,/ranger/audit/atlas/atlas,/ranger/audit/hdfs/hdfs
Example service directories for HW 3:
/ranger/audit/hbaseMaster,/ranger/audit/hbaseRegional,
/ranger/audit/hdfs,/ranger/audit/hiveServer2,/ranger/audit/kafka,/ranger/audit/solr,/ranger/audit/storm
|
| HDFS lib location |
NULL |
Locate libhdfs.so provided by Hadoop cluster (for
example, /usr/hdp/3.1.0.141-1/usr/lib/libhdfs.so) and set
ranger_hdfs_lib_location to the directory that contains
libhdfs.so (for example,
/usr/hdp/3.1.0.141-1/usr/lib). |
| HDFS name node |
NULL |
IP or hostname of the HDFS NameNode. |
| HDFS poll (miliseconds) |
100 |
Time interval, in milliseconds, the S-TAP waits between checking for new Ranger audits in HDFS. |
| HDFS port |
8020 |
The HDFS NameNode port the S-TAP
connects to. |
| HDFS user |
NULL |
The user with which S-TAP connects to
HDFS. if the HDFS setup is using Kerberos, set the parameter to the Kerberos principal. |
| LD library path |
NULL |
Locate libjvm.so (for example,
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/amd64/server/libjvm.so)
and set ld_library_paths to the directory that contains
libjvm.so (for example,
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/amd64/server). |
| HDFS audit history length |
30 |
The length of the audit history.
- A positive value is the history length in days, maximum = 2147483647. The default is 30
(days).
- A negative value is the history length in hours, maximum = and -2147483648.
- 0 - The S-TAP reads audits from the first audit that was written into the Ranger audit
logs.
|
| Use Kerberos |
|
Check to use Kerberos authentication. |
| Principal |
|
Required for Kerberos. The value of Ranger HDFS
user. |
| HDFS keytab |
NULL |
Required for Kerberos. Location of the Kerberos keytab that contains the
principal used to connect to HDFS. |
- Click Save.