Linux-UNIX: Configure Guardium and Ranger communication
Learn how to establish communication between the Guardium system and Ranger.
Before you begin
- If you are using SSL, add the certificate to the keystore with the CLI command store certificate keystore trusted console.
Procedure
- Go to Setup > Tools and Views > Hadoop Monitoring.
- Click in the Add cluster information section to begin defining a new configuration.
- Select Hortonworks from the Hadoop distribution menu.
- Host name/IP - Enter the host name or IP address of the Ambari server.
- Port number - Enter the Ambari server port number.
If you leave this field blank, the configuration uses the default port of 8080.
- Cluster name- Enter the Hadoop cluster name.
- If you are using SSL, check the SSL Enabled checkbox.
- User name - Enter an Ambari administrator user name.
- Password - Enter the password for the Ambari administrator account.
- Click Test Connection to verify the configuration.
- Click Save to save the configuration.
- If you are using Hive 3+: The Hadoop administrator must modify
the configuration:
- In the advanced configuration page in Ambari for Hive, remove any previous reference to the
Guardium logger/appender from the log4j 2 configuration files (for example the
beeline-log4j2, hive-exec-log4j2,
hive-log4j2, and llap-cli-log4j2 files). Remove these
lines:
# Configuration for Guardium integration with Ranger log4j logging. log4j.appender.guardlistener=org.apache.log4j.net.SocketAppender log4j.appender.guardlistener.Port=5555 log4j.appender.guardlistener.RemoteHost=hw-cl4-01.guard.swg.usma.ibm.com log4j.logger.xaaudit=ALL,guardlistener
- Add these lines to the log4j 2 configuration
files.
# audit logger # Configuration for Guardium integration with Ranger log4j logging. appender.guardlistener.type=Socket appender.guardlistener.name=guardlistener appender.guardlistener.port=5555 appender.guardlistener.host=9.32.164.237 appender.guardlistener.layout.type = SerializedLayout logger.xaaudit.name=xaaudit logger.xaaudit.level=INFO logger.xaaudit.appenderRef.guardlistener.ref = guardlistener
- Adjust the port and host for your environment. The host is the S-TAP you are using and the port is 5555 unless changed. If it is changed, it must match the log4j_port parameter value in the guard_tap.ini file.
- Modify the log4j 2 configuration file with the same changes in four sections: beeline-log4j2,
hive-exec-log4j2, hive-log4j2, and llap-cli-log4j2. The changes are:
- add guardlistener to the list of appenders:
appenders = console, DRFA, audittest, guardlistener
- add xaaudit to the list of loggers:
NIOServerCnxn, ClientCnxnSocketNIO, DataNucleus, Datastore, JPOXgua, xaaudit
- add guardlistener to the list of appenders:
- Restart the HIVE service.
- In the advanced configuration page in Ambari for Hive, remove any previous reference to the
Guardium logger/appender from the log4j 2 configuration files (for example the
beeline-log4j2, hive-exec-log4j2,
hive-log4j2, and llap-cli-log4j2 files). Remove these
lines:
- If you are using version of Hive earlier than Hive 3+: The Hadoop
administrator must verify the configuration.
-
# Configuration for Guardium integration with Ranger log4j logging. log4j.appender.guardlistener=org.apache.log4j.net.SocketAppender log4j.appender.guardlistener.Port=5555 log4j.appender.guardlistener.RemoteHost=<host name> log4j.logger.xaaudit=ALL,guardlistener
- Adjust the port and host for your environment. The host is the S-TAP you are using and the port is 5555 unless changed. If it is changed, it must match the log4j_port parameter value in the guard_tap.ini file.
- Verify the following settings in
custom ranger-<service>-audit
:xasecure.audit.destination.log4j=true xasecure.audit.destination.log4j.logger=xaaudit
- If any changes were made, restart the HIVE service.
-
- If you are using Solr:
-
Register the Solr so that it can be monitored by using the script /usr/local/guardium/guard_stap/guard_log4j_listener_config.py. Enter this command, substituting your hostname:
./guard_log4j_listener_config.py -a <hostname> -b 8444 -u admin -p admin -c hw3cl1 -s solr -l 5555 -x enable --ssl
- Install the ranger plugin and add the following lines to these files to enable log4j logging:
- /usr/cloudera-hdp-solr/xxx/cloudera-hdp-solr/solr/server/solr-webapp/webapp/WEB-INF/lib/ranger-solr-audit.xml
- /usr/cloudera-hdp-solr/xxx/cloudera-hdp-solr/solr/server/resources/ranger-solr-audit.xml
<!-- Log4j audit provider configuration --> <property> <name>xasecure.audit.destination.log4j</name> <value>true</value> </property> <property> <name>xasecure.audit.destination.log4j.logger</name> <value>xaaudit</value> </property> <property> <name>xasecure.audit.log4j.is.enabled</name> <value>true</value> </property>
- Restart the Solr.
-