Linux-UNIX: Configure Guardium and Ranger communication

Learn how to establish communication between the Guardium system and Ranger.

Before you begin

  • If you are using SSL, add the certificate to the keystore with the CLI command store certificate keystore trusted console.
You can perform the equivalent procedure using the APIs add_ranger_config and add_ranger_service.

Procedure

  1. Go to Setup > Tools and Views > Hadoop Monitoring.
  2. Click plus icon in the Add cluster information section to begin defining a new configuration.
  3. Select Hortonworks from the Hadoop distribution menu.
  4. Host name/IP - Enter the host name or IP address of the Ambari server.
  5. Port number - Enter the Ambari server port number.
    If you leave this field blank, the configuration uses the default port of 8080.
  6. Cluster name- Enter the Hadoop cluster name.
  7. If you are using SSL, check the SSL Enabled checkbox.
  8. User name - Enter an Ambari administrator user name.
  9. Password - Enter the password for the Ambari administrator account.
  10. Click Test Connection to verify the configuration.
  11. Click Save to save the configuration.
  12. If you are using Hive 3+: The Hadoop administrator must modify the configuration:
    1. In the advanced configuration page in Ambari for Hive, remove any previous reference to the Guardium logger/appender from the log4j 2 configuration files (for example the beeline-log4j2, hive-exec-log4j2, hive-log4j2, and llap-cli-log4j2 files). Remove these lines:
      # Configuration for Guardium integration with Ranger log4j logging.
      log4j.appender.guardlistener=org.apache.log4j.net.SocketAppender
      log4j.appender.guardlistener.Port=5555
      log4j.appender.guardlistener.RemoteHost=hw-cl4-01.guard.swg.usma.ibm.com
      log4j.logger.xaaudit=ALL,guardlistener
      
    2. Add these lines to the log4j 2 configuration files.
      # audit logger
      # Configuration for Guardium integration with Ranger log4j logging.
      appender.guardlistener.type=Socket
      appender.guardlistener.name=guardlistener
      appender.guardlistener.port=5555
      appender.guardlistener.host=9.32.164.237
      appender.guardlistener.layout.type = SerializedLayout
      logger.xaaudit.name=xaaudit
      logger.xaaudit.level=INFO
      logger.xaaudit.appenderRef.guardlistener.ref = guardlistener
    3. Adjust the port and host for your environment. The host is the S-TAP you are using and the port is 5555 unless changed. If it is changed, it must match the log4j_port parameter value in the guard_tap.ini file.
    4. Modify the log4j 2 configuration file with the same changes in four sections: beeline-log4j2, hive-exec-log4j2, hive-log4j2, and llap-cli-log4j2. The changes are:
      • add guardlistener to the list of appenders:
        appenders = console, DRFA, audittest, guardlistener
      • add xaaudit to the list of loggers:
        NIOServerCnxn, ClientCnxnSocketNIO, DataNucleus, Datastore, JPOXgua, xaaudit
    5. Restart the HIVE service.
  13. If you are using version of Hive earlier than Hive 3+: The Hadoop administrator must verify the configuration.
    1. #‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌ Configuration for Guardium integration with Ranger log4j logging.
      log4j.appender.guardlistener=org.apache.log4j.net.SocketAppender
      log4j.appender.guardlistener.Port=5555
      log4j.appender.guardlistener.RemoteHost=<host name>
      log4j.logger.xaaudit=ALL,guardlistener
    2. Adjust the port and host for your environment. The host is the S-TAP you are using and the port is 5555 unless changed. If it is changed, it must match the log4j_port parameter value in the guard_tap.ini file.
    3. Verify the following settings in custom ranger-<service>-audit:
      
      xasecure.audit.destination.log4j=true
      xasecure.audit.destination.log4j.logger=xaaudit
    4. If any changes were made, restart the HIVE service.
  14. If you are using Solr:
    1. Register the Solr so that it can be monitored by using the script /usr/local/guardium/guard_stap/guard_log4j_listener_config.py. Enter this command, substituting your hostname:
      ./guard_log4j_listener_config.py -a <hostname> -b 8444 -u admin -p admin -c hw3cl1 -s solr -l 5555 -x enable --ssl
    2. Install the ranger plugin and add the following lines to these files to enable log4j logging:
      • /usr/cloudera-hdp-solr/xxx/cloudera-hdp-solr/solr/server/solr-webapp/webapp/WEB-INF/lib/ranger-solr-audit.xml
      • /usr/cloudera-hdp-solr/xxx/cloudera-hdp-solr/solr/server/resources/ranger-solr-audit.xml
      Lines to add to the files:
      <!-- Log4j audit provider configuration -->
             <property>
                     <name>xasecure.audit.destination.log4j</name>
                     <value>true</value>
             </property>
             <property>
                     <name>xasecure.audit.destination.log4j.logger</name>
                     <value>xaaudit</value>
             </property>
              <property>
                     <name>xasecure.audit.log4j.is.enabled</name>
                     <value>true</value>
             </property>
    3. Restart the Solr.

Results

The new configuration is available from the Hadoop Monitoring page (marked with a green check mark icon). If the service does not display port information and the S-TAP status is S-TAP not installed, edit the configuration and specify a valid S-TAP.