Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration a886ae32c -> 847a79955
basic audit info Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/847a7995 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/847a7995 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/847a7995 Branch: refs/heads/feature/ranger-integration Commit: 847a7995577fa22e151e667d2d42d5ed1431ef7c Parents: a886ae3 Author: David Yozie <yo...@apache.org> Authored: Wed Mar 29 13:52:31 2017 -0700 Committer: David Yozie <yo...@apache.org> Committed: Wed Mar 29 13:52:31 2017 -0700 ---------------------------------------------------------------------- markdown/ranger/ranger-auditing.html.md.erb | 134 +++++++++++++++++++++++ 1 file changed, 134 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/847a7995/markdown/ranger/ranger-auditing.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-auditing.html.md.erb b/markdown/ranger/ranger-auditing.html.md.erb index cc0cd14..7f6fed0 100644 --- a/markdown/ranger/ranger-auditing.html.md.erb +++ b/markdown/ranger/ranger-auditing.html.md.erb @@ -20,3 +20,137 @@ KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> + +The HAWQ Ranger Plug-in Service supports storing auditing records in any of the Ranger auditing framework audit destinations, referred to as *audit sink*s. The `/usr/local/hawq/ranger/etc/ranger-hawq-audit.xml` file specifies the audit configuration. It contains sample definitions for the HDFS, Solr, and Log4j audit sinks. + +As a best practice, configure one or more audit sinks in `ranger-hawq-audit.xml` before you register the HAWQ Ranger Plug-in Service. By default only the Log4j sink is enabled. Production deployments should use both a Solr and an HDFS audit sink, with the Solr destination configured to automatically purge audit records after some period of time. This configuration enables you to search the most recent audit records, while a keeping a full history of auditing records in HDFS. + +If you modify `ranger-hawq-audit.xml` after you have registered the HAWQ Ranger Plug-in, you must restart the plug-in for the changes to take effect. + +Full documentation for the Ranger auditing configuration properties and the Ranger auditing framework is available at [Ranger 0.5 Audit Configuration](https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration). + +## <a id="solr"></a>Configuring Solr Auditing +To configure a Solr audit sink, you define a different set of properties in `ranger-hawq-audit.xml` depending on whether you use Zookeeper or a direct URL connect to your Solr destination. For a production environment, use Zookeeper instead of a direct URL. + +If you use Zookeeper to connect to Solr, configure these auditing properties in `ranger-hawq-audit.xml`: + +Table 1. Properties for Zookeeper Configuration + +| Property | Value | Description | +| -------- | ----- | ----------- | +| xasecure.audit.destination.solr | true | Use this property to enable or disable the Solr sink. | +| xasecure.audit.destination.solr.zookeepers | <zookeeper connect string> | Specify the Zookeeper connection string for the Solr destination. | +| xasecure.audit.destination.solr.collection | <collection name> | Specify the Solr collection name to use for indexing the HAWQ audit records. By default HAWQ uses the `ranger_audits` collection. | +| xasecure.audit.destination.solr.batch.filespool.* | Multiple Properties | See [Configuration related to File spooling](https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-ConfigurationrelatedtoFilespooling) in the Ranger documentation if you want to configure spooling of auditing events to disk when the in-memory buffer is full. | +| xasecure.audit.destination.solr.urls | NONE | Leave this property value empty or set it to `NONE` when using Zookeeper to connect to Solr. | + +For example: + +``` +<!-- ********************************* --> +<!-- SOLR audit provider configuration --> +<!-- ********************************* --> +<property> + <name>xasecure.audit.destination.solr</name> + <value>true</value> +</property> + +<property> + <name>xasecure.audit.destination.solr.zookeepers</name> + <value>zkhost1:2181,zkhost2:2181/infra-solr</value> +</property> + +<property> + <name>xasecure.audit.destination.solr.collection</name> + <value>ranger_audits</value> +</property> + +<property> + <name>xasecure.audit.destination.solr.urls</name> + <value>NONE</value> +</property> + +<property> + <name>xasecure.audit.destination.solr.batch.filespool.enabled</name> + <value>true</value> +</property> + +<property> + <name>xasecure.audit.destination.solr.batch.filespool.dir</name> + <value>/usr/local/hawq_2_2_0_0/ranger/plugin-service/logs/spool/audit/solr</value> +</property> +``` +## <a id="hdfs"></a>Configuring HDFS Auditing +To configure an HDFS audit sink, define these auditing properties in `ranger-hawq-audit.xml`: + +Table 2. Properties for HDFS Configuration + +| Property | Value | Description | +| -------- | ----- | ----------- | +| xasecure.audit.destination.hdfs | true | Use this property to enable or disable the HDFS sink. | +| xasecure.audit.destination.hdfs.dir | <HDFS directory> | Specify the HDFS directory in which the plug-in records audit events. | +| xasecure.audit.destination.hdfs.batch.filespool.* | Multiple Properties | See [Configuration related to File spooling](https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-ConfigurationrelatedtoFilespooling) in the Ranger documentation if you want to configure spooling of auditing events to disk when the in-memory buffer is full. | + +For example: + +``` +<!-- ********************************* --> +<!-- HDFS audit provider configuration --> +<!-- ********************************* --> +<property> + <name>xasecure.audit.destination.hdfs</name> + <value>true</value> +</property> + +<property> + <name>xasecure.audit.destination.hdfs.dir</name> + <value>hdfs://localhost:8020/ranger/audit</value> +</property> + +<property> + <name>xasecure.audit.destination.hdfs.batch.filespool.enabled</name> + <value>true</value> +</property> + +<property> + <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> + <value>/usr/local/hawq_2_2_0_0/ranger/plugin-service/logs/spool/audit/hdfs</value> +</property> +``` +## <a id="log4j"></a>Configuring Log4j Auditing +To configure a Log4j audit sink, define these auditing properties in `ranger-hawq-audit.xml`: + +Table 3. Properties for Log4j Configuration + +| Property | Value | Description | +| -------- | ----- | ----------- | +| xasecure.audit.destination.log4j | true | Use this property to enable or disable the Log4j sink. | +| xasecure.audit.destination.log4j.logger | <Logger Name> | Specify the name of the logger to use for sending audit events. | +| xasecure.audit.destination.log4j.batch.filespool.* | Multiple Properties | See [Configuration related to File spooling](https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-ConfigurationrelatedtoFilespooling) in the Ranger documentation if you want to configure spooling of auditing events to disk when the in-memory buffer is full. | + +For example: + +``` +<!-- ********************************** --> +<!-- Log4j audit provider configuration --> +<!-- ********************************** --> +<property> + <name>xasecure.audit.destination.log4j</name> + <value>true</value> +</property> + +<property> + <name>xasecure.audit.destination.log4j.logger</name> + <value>ranger_audit_logger</value> +</property> +``` + +## <a id="reconfigure"></a>Changing the Plug-in Auditing Settings +If you modify `ranger-hawq-audit.xml` after you have registered the HAWQ Ranger Plug-in, you must either restart the HAWQ cluster or restart the plug-in for the changes to take effect. + +To restart only the HAWQ Ranger Plug-in: + +``` bash +$ /usr/local/hawq_2_2_0_0/ranger/bin/rps.sh stop +$ /usr/local/hawq_2_2_0_0/ranger/bin/rps.sh start +``` \ No newline at end of file