Hi,
I'm trying to configure audit logging to Solr for HDFS and YARN in Bigtop 3.2
with Ranger 2.4.0.
It's working with no issues for HDFS, but for YARN I am always finding the same
issue for every cluster where I try it.
My understanding is that I have to add these settings to
ranger-<plugin_name>-audit.xml for the plugin to be able to authenticate to
Solr:
<property>
<name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name>
<value>true</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.loginModuleControlFlag</name>
<value>required</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.loginModuleName</name>
<value>com.sun.security.auth.module.Krb5LoginModule</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.keyTab</name>
<value>/etc/security/keytabs/<component>.service.keytab</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.principal</name>
<value><principal>/_HOST@<REALM></value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.serviceName</name>
<value>solr</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.storeKey</name>
<value>false</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.useKeyTab</name>
<value>true</value>
</property>
And indeed that's the case for HDFS. Without these settings, it is not able to
push audit logs to Solr, but when I add them, it starts working.
That's not working so well with YARN though. Indeed, it will be able to push
audit logs to Solr after adding those settings, but it will stop being able to
elect an active ResourceManager because it's not able to authenticate to
ZooKeeper anymore:
2024-04-24 16:32:59,202 [zkConnectionManagerCallback-1165-thread-1] WARN
[ConnectionManager.java:112] Watcher
org.apache.solr.common.cloud.ConnectionManager@372ad43a name:
ZooKeeperConnection
Watcher:node1.example.com:2181,node2.example.com:2181,node3.example.com:2181/solr
got event WatchedEvent state:Disconnected type:None path:null path: null type:
None
2024-04-24 16:32:59,202 [zkConnectionManagerCallback-1165-thread-1] WARN
[ConnectionManager.java:194] zkClient has disconnected
2024-04-24 16:33:43,514 [main] WARN [NativeCodeLoader.java:60] Unable to load
native-hadoop library for your platform... using builtin-java classes where
applicable
2024-04-24 16:33:44,416 [Thread-7-SendThread(node2.example.com:2181)] WARN
[ClientCnxn.java:1007] SASL configuration failed:
javax.security.auth.login.LoginException: No JAAS configuration section named
'Client' was found in specified JAAS configuration file: '/dev/null'. Will
continue connection to Zookeeper server without SASL authentication, if
Zookeeper server allows it.
2024-04-24 16:33:44,420 [zkConnectionManagerCallback-5-thread-1] WARN
[ConnectionManager.java:112] Watcher
org.apache.solr.common.cloud.ConnectionManager@64902a7a name:
ZooKeeperConnection
Watcher:node1.example.com:2181,node2.example.com:2181,node3.example.com:2181/solr
got event WatchedEvent state:AuthFailed type:None path:null path: null type:
None
2024-04-24 16:33:44,422 [zkConnectionManagerCallback-5-thread-1] WARN
[ConnectionManager.java:198] zkClient received AuthFailed
I don't know if I am doing anything wrong, but I think I am following the
documentation and the configuration looks the same as other HDP and CDP
clusters I have where it's working.
