Auditing Authorization Events

The HAWQ Ranger Plug-in Service supports storing auditing records in any of the Ranger auditing framework audit destinations, referred to as *audit sink*s. The /usr/local/hawq/ranger/etc/ranger-hawq-audit.xml file specifies the audit configuration. It contains sample definitions for the HDFS, Solr, and Log4j audit sinks.

As a best practice, configure one or more audit sinks in ranger-hawq-audit.xml before you register the HAWQ Ranger Plug-in Service. By default only the Log4j sink is enabled. Production deployments should use both a Solr and an HDFS audit sink, with the Solr destination configured to automatically purge audit records after some period of time. This configuration enables you to search the most recent audit records, while keeping a full history of auditing records in HDFS.

If you modify ranger-hawq-audit.xml after you have registered the HAWQ Ranger Plug-in, you must restart the plug-in for the changes to take effect. See Custom Configuration for instructions.

Full documentation for the Ranger auditing configuration properties and the Ranger auditing framework is available at Ranger 0.5 Audit Configuration.

Configuring Solr Auditing

To configure a Solr audit sink, you define a different set of properties in ranger-hawq-audit.xml depending on whether you use Zookeeper or a direct URL connect to your Solr destination. For a production environment, use Zookeeper instead of a direct URL.

If you use Zookeeper to connect to Solr, configure these auditing properties in ranger-hawq-audit.xml:

Table 1. Properties for Zookeeper Configuration

PropertyValueDescription
xasecure.audit.destination.solrtrueUse this property to enable or disable the Solr sink.
xasecure.audit.destination.solr.zookeepers<zookeeper connect string>Specify the Zookeeper connection string for the Solr destination.
xasecure.audit.destination.solr.collection<collection name>Specify the Solr collection name to use for indexing the HAWQ audit records. By default HAWQ uses the ranger_audits collection.
xasecure.audit.destination.solr.batch.filespool.*Multiple PropertiesSee Configuration related to File spooling in the Ranger documentation if you want to configure spooling of auditing events to disk when the in-memory buffer is full.
xasecure.audit.destination.solr.urlsNONELeave this property value empty or set it to NONE when using Zookeeper to connect to Solr.

For example:

  1. <!-- ********************************* -->
  2. <!-- SOLR audit provider configuration -->
  3. <!-- ********************************* -->
  4. <property>
  5. <name>xasecure.audit.destination.solr</name>
  6. <value>true</value>
  7. </property>
  8. <property>
  9. <name>xasecure.audit.destination.solr.zookeepers</name>
  10. <value>zkhost1:2181,zkhost2:2181/infra-solr</value>
  11. </property>
  12. <property>
  13. <name>xasecure.audit.destination.solr.collection</name>
  14. <value>ranger_audits</value>
  15. </property>
  16. <property>
  17. <name>xasecure.audit.destination.solr.urls</name>
  18. <value>NONE</value>
  19. </property>
  20. <property>
  21. <name>xasecure.audit.destination.solr.batch.filespool.enabled</name>
  22. <value>true</value>
  23. </property>
  24. <property>
  25. <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
  26. <value>/usr/local/hawq_<version>/ranger/plugin-service/logs/spool/audit/solr</value>
  27. </property>

Configuring HDFS Auditing

To configure an HDFS audit sink, define these auditing properties in ranger-hawq-audit.xml:

Table 2. Properties for HDFS Configuration

PropertyValueDescription
xasecure.audit.destination.hdfstrueUse this property to enable or disable the HDFS sink.
xasecure.audit.destination.hdfs.dir<HDFS directory>Specify the HDFS directory in which the plug-in records audit events.
xasecure.audit.destination.hdfs.batch.filespool.*Multiple PropertiesSee Configuration related to File spooling in the Ranger documentation if you want to configure spooling of auditing events to disk when the in-memory buffer is full.

For example:

  1. <!-- ********************************* -->
  2. <!-- HDFS audit provider configuration -->
  3. <!-- ********************************* -->
  4. <property>
  5. <name>xasecure.audit.destination.hdfs</name>
  6. <value>true</value>
  7. </property>
  8. <property>
  9. <name>xasecure.audit.destination.hdfs.dir</name>
  10. <value>hdfs://localhost:8020/ranger/audit</value>
  11. </property>
  12. <property>
  13. <name>xasecure.audit.destination.hdfs.batch.filespool.enabled</name>
  14. <value>true</value>
  15. </property>
  16. <property>
  17. <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
  18. <value>/usr/local/hawq_<version>/ranger/plugin-service/logs/spool/audit/hdfs</value>
  19. </property>

Configuring Log4j Auditing

To configure a Log4j audit sink, define these auditing properties in ranger-hawq-audit.xml:

Table 3. Properties for Log4j Configuration

PropertyValueDescription
xasecure.audit.destination.log4jtrueUse this property to enable or disable the Log4j sink.
xasecure.audit.destination.log4j.logger<Logger Name>Specify the name of the logger to use for sending audit events.
xasecure.audit.destination.log4j.batch.filespool.*Multiple PropertiesSee Configuration related to File spooling in the Ranger documentation if you want to configure spooling of auditing events to disk when the in-memory buffer is full.

For example:

  1. <!-- ********************************** -->
  2. <!-- Log4j audit provider configuration -->
  3. <!-- ********************************** -->
  4. <property>
  5. <name>xasecure.audit.destination.log4j</name>
  6. <value>true</value>
  7. </property>
  8. <property>
  9. <name>xasecure.audit.destination.log4j.logger</name>
  10. <value>ranger_audit_logger</value>
  11. </property>