Nicolas,
I haven't been on Hadoop for a while, but I remember that we could see in
the component logs that they were trying to pull the Ranger policies from
Ranger API on a regular basis (something like every 30 seconds).
So 2 things I would check :
- Is Ranger plugin activated on HDFS ? (If you use Ambari, then it's easy
to check this out in Ranger tab).
- Can it pull the Ranger policies from Ranger API ? (Take a look at HDFS
logs, both on the NameNode and on DataNodes)
What surprises me is that the Audit logs you show are not about /tmp folder
denial, so my guess is that Ranger is not aware of your activities.
Best regards,
Loïc CHANEL
System Big Data engineer
Vision 360 Degrés (Lyon, France)
Le lun. 9 mars 2020 à 15:46, Nicolas Paris <nicolas.pa...@riseup.net> a
écrit :
>
> Loïc Chanel <loic.cha...@telecomnancy.net> writes:
> > Do you see in the logs that Spark is able to pull the policies from
> Ranger
> > API ?
>
> I did look to several log files. On the spark side, the previous email
> show the logs. On the ranger side, the xa_portal.log does not provide
> any mention of hdfs attempt to be read by the user.
>
> The hdfs://ranger/audit/hdfs/*.log contains such entry:
>
> ```json
> {"repoType":1,"repo":"CLUSTER_hadoop","reqUser":"nicolas","evtTime":"2020-03-09
> 13:50:08.389","access":"WRITE","resource":"/app-logs/nicolas...","resType":"path","action":"write","result":1,"policy":-1,"reason":"/app-logs/nicolas/logs-ifile/application_1583593832792_0067","enforcer":"hadoop-acl","cliIP":"IP","agentHost":"hostname","logType":"RangerAudit","id":"da76751f-af19-49f1-8d47-f52f7e68d593-6700046","seq_num":10150745,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"CLUSTER"}
> ```
> I don't find any mention of enforcer:ranger* in the audit logs
>
>
>
> > Either way, could you please share the policies you defined in Ranger for
> > your user ?
>
> The rule added are:
> Policy ID: 1
> policy type: Access
> policy name: all pth name | Enabled
> ressource Path: /* | recursive
> audit logging: yes
> select user: hdfs, rangerlookup, ambari-qa
> permission: read,write,execute
> delegate admin: yes
>
> Policy ID: 2
> policy type: Access
> policy name: kms-audit-path name | Enabled
> ressource Path: /ranger/audit/kms | recursive
> audit logging: yes
> select user: keyadmin
> permission: read,write,execute
>
> Policy ID: 3
> policy type: Access
> policy name: my policy name | Enabled
> ressource Path: /tmp | recursive
> audit logging: yes
> select user: nicolas
> permission: read,write,execute
>
> Thanks
> --
> nicolas paris
>
