I saw it. Looks good. Thanks
Bosco From: "Zhang, Edward (GDI Hadoop)" <[email protected]> Date: Monday, May 4, 2015 at 10:01 PM To: Don Bosco Durai <[email protected]>, "[email protected]" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: ranger 0.40 + hive in sandbox 2.2.4 > Sure, I have added something roughly and have not refined yet. > > Thanks > Edward Zhang > > From: Don Bosco Durai <[email protected]> > Date: Friday, May 1, 2015 at 2:02 PM > To: Yong Zhang <[email protected]>, "[email protected]" > <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: ranger 0.40 + hive in sandbox 2.2.4 > > Edward > > I need to take a look into this again. When Apache Ranger is installed, the > below property is overwritten by the Ranger script. I am not sure whether in > the Amabari 2.0, this property is reseted. For me it worked, but I will > reverify again. > > I am glad you were able to integrate Kafka log4j. Now you should be able to > this for all the components (HDFS, Hbase, Knox, etc) and get normalized audit > records centrally in your Kafka topic. > > I assume you are using Storm to process data off the topic. If you don¹t mind, > can you copy-paste a snippet of the Storm Bolt code in the Ranger wiki page > along with the below properties? I created a new page for you: > > https://cwiki.apache.org/confluence/display/RANGER/Configuring+Kafka+log4j+app > ender+with+Apache+Ranger+Audits > > Thanks > > Bosco > > > From: "Zhang, Edward (GDI Hadoop)" <[email protected]> > Date: Friday, May 1, 2015 at 10:49 AM > To: Don Bosco Durai <[email protected]>, "[email protected]" > <[email protected]> > Subject: Re: ranger 0.40 + hive in sandbox 2.2.4 > >> Hi Bosco, >> >> Sorry I meant some sections in hiveserver2-site.xml. The following >> configuration is not there under conf.server by default. Not sure if you >> have similar issue, probably I need download the latest sandbox again. >> <property> >> <name>hive.security.authorization.enabled</name> >> <value>true</value> >> </property> >> <property> >> <name>hive.security.authorization.manager</name> >> >> <value>com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFacto >> ry</value> >> </property> >> >> I actually can use kafka appender to send audit events to kafka bus with the >> following configurations. Please let me know if this can be put into the >> Ranger whole document. That¹s a great feature actually :-) >> # >> # kafka Appender >> # >> log4j.logger.com.xasecure.audit.provider.Log4jAuditProvider=INFO,KAFKA_HIVE_A >> UDIT >> log4j.appender.KAFKA_HIVE_AUDIT=kafka.producer.KafkaLog4jAppender >> log4j.appender.KAFKA_HIVE_AUDIT.BrokerList=sandbox.hortonworks.com:6667 >> log4j.appender.KAFKA_HIVE_AUDIT.Topic=hive_audit_log >> log4j.appender.KAFKA_HIVE_AUDIT.layout=org.apache.log4j.PatternLayout >> log4j.appender.KAFKA_HIVE_AUDIT.layout.ConversionPattern=%d{ISO8601} %-5p >> [%t]: %c{2} (%F:%M(%L)) - %m%n >> log4j.appender.KAFKA_HIVE_AUDIT.ProducerType=async >> >> >> Thanks >> Edward Zhang >> >> From: Don Bosco Durai <[email protected]> >> Date: Friday, May 1, 2015 at 10:43 AM >> To: Yong Zhang <[email protected]>, "[email protected]" >> <[email protected]> >> Subject: Re: ranger 0.40 + hive in sandbox 2.2.4 >> >> Can you check the audit logs to see if they are audited? >> >> Yes, conf.server is the place where HiveServer2 picks it¹s configuration. I >> checked my local sandbox and xasecure.audit.is.enabled=true. Can you >> download the latest sandbox and check it out? >> >> Thanks >> >> Bosco >> >> >> >> From: <Zhang>, "Edward (GDI Hadoop)" <[email protected]> >> Date: Friday, May 1, 2015 at 10:05 AM >> To: Don Bosco Durai <[email protected]>, >> "[email protected]" <[email protected]> >> Subject: ranger 0.40 + hive in sandbox 2.2.4 >> >>> Hi Ranger dev team, >>> >>> When I test hive+ranger in sandbox 2.2.4, one issue is HiveServer2 is >>> started up with /etc/hive/conf.server as class path, while by default >>> xasecure-audit.xml under conf.server does not have xasecure.audit.is.enabled >>> to be true. That means ranger in hive is not activated. So each time when I >>> want to activate ranger in hive, I have to restart hiveserver2 with >>> /etc/hive/conf in class path, in /conf, xasecure.audit.is.enabled is >>> specified to true. >>> >>> So my question: is that an intentional behavior to bring up HiveServer with >>> Ranger being disabled? And /conf.server is the default conf directory to run >>> Hive? >>> >>> Thanks >>> Edward Zhang >>> >>>
