Hi, I'm trying to configure audit logging to Solr for HDFS and YARN in Bigtop 3.2 with Ranger 2.4.0. It's working with no issues for HDFS, but for YARN I am always finding the same issue for every cluster where I try it.
My understanding is that I have to add these settings to ranger-<plugin_name>-audit.xml for the plugin to be able to authenticate to Solr: <property> <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> <value>true</value> </property> <property> <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> <value>required</value> </property> <property> <name>xasecure.audit.jaas.Client.loginModuleName</name> <value>com.sun.security.auth.module.Krb5LoginModule</value> </property> <property> <name>xasecure.audit.jaas.Client.option.keyTab</name> <value>/etc/security/keytabs/<component>.service.keytab</value> </property> <property> <name>xasecure.audit.jaas.Client.option.principal</name> <value><principal>/_HOST@<REALM></value> </property> <property> <name>xasecure.audit.jaas.Client.option.serviceName</name> <value>solr</value> </property> <property> <name>xasecure.audit.jaas.Client.option.storeKey</name> <value>false</value> </property> <property> <name>xasecure.audit.jaas.Client.option.useKeyTab</name> <value>true</value> </property> And indeed that's the case for HDFS. Without these settings, it is not able to push audit logs to Solr, but when I add them, it starts working. That's not working so well with YARN though. Indeed, it will be able to push audit logs to Solr after adding those settings, but it will stop being able to elect an active ResourceManager because it's not able to authenticate to ZooKeeper anymore: 2024-04-24 16:32:59,202 [zkConnectionManagerCallback-1165-thread-1] WARN [ConnectionManager.java:112] Watcher org.apache.solr.common.cloud.ConnectionManager@372ad43a name: ZooKeeperConnection Watcher:node1.example.com:2181,node2.example.com:2181,node3.example.com:2181/solr got event WatchedEvent state:Disconnected type:None path:null path: null type: None 2024-04-24 16:32:59,202 [zkConnectionManagerCallback-1165-thread-1] WARN [ConnectionManager.java:194] zkClient has disconnected 2024-04-24 16:33:43,514 [main] WARN [NativeCodeLoader.java:60] Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 2024-04-24 16:33:44,416 [Thread-7-SendThread(node2.example.com:2181)] WARN [ClientCnxn.java:1007] SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/dev/null'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. 2024-04-24 16:33:44,420 [zkConnectionManagerCallback-5-thread-1] WARN [ConnectionManager.java:112] Watcher org.apache.solr.common.cloud.ConnectionManager@64902a7a name: ZooKeeperConnection Watcher:node1.example.com:2181,node2.example.com:2181,node3.example.com:2181/solr got event WatchedEvent state:AuthFailed type:None path:null path: null type: None 2024-04-24 16:33:44,422 [zkConnectionManagerCallback-5-thread-1] WARN [ConnectionManager.java:198] zkClient received AuthFailed I don't know if I am doing anything wrong, but I think I am following the documentation and the configuration looks the same as other HDP and CDP clusters I have where it's working.