Loïc Chanel <loic.cha...@telecomnancy.net> writes:
> Do you see in the logs that Spark is able to pull the policies from Ranger
> API ?
I did look to several log files. On the spark side, the previous email
show the logs. On the ranger side, the xa_portal.log does not provide
any mention of hdfs attempt to be read by the user.
The hdfs://ranger/audit/hdfs/*.log contains such entry:
```json
{"repoType":1,"repo":"CLUSTER_hadoop","reqUser":"nicolas","evtTime":"2020-03-09
13:50:08.389","access":"WRITE","resource":"/app-logs/nicolas...","resType":"path","action":"write","result":1,"policy":-1,"reason":"/app-logs/nicolas/logs-ifile/application_1583593832792_0067","enforcer":"hadoop-acl","cliIP":"IP","agentHost":"hostname","logType":"RangerAudit","id":"da76751f-af19-49f1-8d47-f52f7e68d593-6700046","seq_num":10150745,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"CLUSTER"}
```
I don't find any mention of enforcer:ranger* in the audit logs
> Either way, could you please share the policies you defined in Ranger for
> your user ?
The rule added are:
Policy ID: 1
policy type: Access
policy name: all pth name | Enabled
ressource Path: /* | recursive
audit logging: yes
select user: hdfs, rangerlookup, ambari-qa
permission: read,write,execute
delegate admin: yes
Policy ID: 2
policy type: Access
policy name: kms-audit-path name | Enabled
ressource Path: /ranger/audit/kms | recursive
audit logging: yes
select user: keyadmin
permission: read,write,execute
Policy ID: 3
policy type: Access
policy name: my policy name | Enabled
ressource Path: /tmp | recursive
audit logging: yes
select user: nicolas
permission: read,write,execute
Thanks
--
nicolas paris
