Linux-UNIX: FAQs Hortonworks Ranger configuration
Read answers to the most asked questions about the Hortonworks Ranger configuration.
- What Hadoop service components connect to the S-TAP®?
- https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_command-line-installation/content/installing_ranger_plugins.html lists where the Ranger plug-ins are installed for each Hadoop service. These plug-ins are what connect to the S-TAP.
- Can multiple STAPs be configured per Hadoop service?
- It depends. The Ranger plug-ins for the service connect to the S-TAP. If your HDFS service has only a single NameNode, there can be only one connection for that service. If there are multiple components with Ranger plug-ins (for example, HBASE, which has the Ranger plug-ins on the Master server, and on every Region server), multiple connections can be made. The main issue is that all components of the Hadoop service share one configuration. As a result, the remote host parameter of the Guardium® log4j logger is the same. One option is to put "localhost" as the host to log to and install an S-TAP on every node that has a Ranger plug-in for that service. Another option is to use DNS round robin to have each plug-in connect to a different S-TAP. Another option is to use configuration groups to specify different Guardium log4j logger remote hosts for the different Hadoop service components.
- Why does the x service show up in reports for the y service?
- Hadoop services often utilize each other for various functions. It is normal to see references to other Hadoop services in reports.
- What is missing if the Ranger plug-in for x service is not configured?
- All audits related to that service are not logged.
- Can Ranger policies be configured in a way to filter audits to S-TAP while retaining audits in Ranger?
- No. If actions match a Ranger policy and that policy has auditing enabled, the audit goes to all audit destinations.
- Is an inspection engine needed for Hortonworks integration?
- No. Inspection engines are not needed for Hadoop services that use the integration to send audits.
- The Guardium UI is showing monitoring enabled, but the Ranger plug-ins are not installed yet. What is happening?
- Guardium checks only that the Guardium log4j logger exists in the Hadoop service logging configuration. It does not check whether the Ranger plug-ins are installed, or if the Ranger repository and policies exist.