I enabled HDFS audit login. I want when any policy is created, updated or deleted, I want to see that log in a file in addition to db. Is that possible?
On Fri, Nov 13, 2015 at 12:28 AM, Arvind S <arvind18...@gmail.com> wrote: > you want the same information in the DB table in file format ? or > something more that that ..like debug? > for 1st option .. in ranger 0.5 there is an option to enable logging to > HDFS also .. not sure if its there in 0.4 .. > if you want the 2nd then i don't have an answer right-away .. > > > > *Cheers !!* > Arvind > > On Fri, Nov 13, 2015 at 8:10 AM, Kashif Khan <rafz...@gmail.com> wrote: > >> Hi Arvind, >> >> Deleting all users and groups and pulling them again didn't help. Still >> same issue. Looks like upgrade is the only option. >> >> I have another question, where can I check the logs for all ranger policy >> changes logs. I know it is written in ranger_audit db but is it possible to >> log that in a log file. >> >> Thanks, >> Kashif >> >> >> >> >> >> On Wed, Nov 11, 2015 at 11:14 PM, Kashif Khan <rafz...@gmail.com> wrote: >> >>> Thanks Arvind, I will try that tomorrow and will see if it get fixed. >>> >>> On Wed, Nov 11, 2015 at 11:10 PM, Arvind S <arvind18...@gmail.com> >>> wrote: >>> >>>> the only issue i can see is that the member group list has some groups >>>> with space in them "ho proxy" .. "nro proxy" .. >>>> options >>>> > can test by removing user member ship from groups with space in the >>>> names ..then check sync >>>> > as Ramesh said you can try to move to a newer version .. >>>> >>>> this is a long shot but did work for me once when i was testing >>>> initially with lots of changes being done on config ..and ranger had pulled >>>> incomplete group/user list in the 1st attempt .. >>>> > stop ranger user sync .. >>>> > delete all the groups and user using ranger REST API >>>> .... >>>> https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java >>>> >>>> .... group delete e.g. >>>> curl -i -X DELETE --header "AcceptDELETEplication/json" -H >>>> "Content-Type: application/json" -u admin:admin >>>> http://<ranger-ip/fqdn>:6080/service/xusers/groups/{<comma >>>> seperated group id's>} >>>> .... user delete e.g. >>>> curl -i -X DELETE --header "Accept:application/json" -H >>>> "Content-Type: application/json" -u admin:admin >>>> http://<ranger-ip/fqdn>:6080/service/xusers/users/{<comma >>>> seperated user id's>} >>>> >>>> > Re-start ranger admin and start ranger user sync .. >>>> >>>> >>>> >>>> *Cheers !!* >>>> Arvind >>>> >>>> On Tue, Nov 10, 2015 at 11:18 PM, Kashif Khan <rafz...@gmail.com> >>>> wrote: >>>> >>>>> Thanks for your response Arvind. Here is the log. The group name I >>>>> have issue with is "*PRV-BUS-DataScientist-DISABILITY*" that is not >>>>> showing in Ranger. However, the other group " >>>>> *prv-bus-datascientist-life*" that was added same day and being >>>>> pulled in ranger successfully. >>>>> >>>>> >>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> longGroupName: >>>>> CN=*PRV-BUS-DataScientist-DISABILITY*,OU=Security-Groups,DC=domain_name,DC=com, >>>>> groupName: PRV-BUS-DataScientist-DISABILITY >>>>> >>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> Updating user count: 57, userName: xyza1b, groupList: >>>>> [domain_name-w7-admin-wkstn-users, wireless_production, >>>>> *prv-bus-datascientist-life*, ho proxy, vpnusers, >>>>> domain_name-w7-std-user-g, nro proxy, prv-bus-datascientist-disability, >>>>> domain_name-w7-std-user-fr-g, wireless_location] >>>>> >>>>> 10 Nov 2015 12:04:40 DEBUG PolicyMgrUserGroupBuilder >>>>> [UnixUserSyncThread] - INFO: >>>>> addPMXAGroupToUser(xyza1b,prv-bus-datascientist-disability) >>>>> >>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> longGroupName: >>>>> *CN=PRV-BUS-DataScientist-DISABILITY*,OU=Security-Groups,DC=domain_name,DC=com, >>>>> groupName: PRV-BUS-DataScientist-DISABILITY >>>>> >>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> Updating user count: 59, userName: xyza2b, groupList: >>>>> [domain_name-w7-admin-wkstn-users, wireless_production, >>>>> prv-bus-datascientist-life, ho proxy, vpnusers, domain_name-w7-std-user-g, >>>>> nro proxy, prv-bus-datascientist-disability, domain_name-w7-std-user-fr-g, >>>>> wireless_location] >>>>> >>>>> 10 Nov 2015 12:04:40 DEBUG PolicyMgrUserGroupBuilder >>>>> [UnixUserSyncThread] - INFO: >>>>> addPMXAGroupToUser(xyza2b,prv-bus-datascientist-disability) >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Nov 10, 2015 at 1:52 AM, Arvind S <arvind18...@gmail.com> >>>>> wrote: >>>>> >>>>>> can you post the log section where you see the groups and users being >>>>>> pulled .. >>>>>> i have had issues when using AD (internally setting were using LDAP >>>>>> in AD) as user/group source and user/ group names had spaces or dots in >>>>>> them. >>>>>> >>>>>> If possible update to ranger .5 it has some better handling. >>>>>> >>>>>> >>>>>> *Cheers !!* >>>>>> Arvind >>>>>> >>>>>> On Tue, Nov 10, 2015 at 9:34 AM, Kashif Khan <rafz...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I am trying to pull one LDAP group into ranger but it is not being >>>>>>> added. Looking at usersync.log, the group is being pulled and users are >>>>>>> added to that group, but I am not able to figure out why group is not >>>>>>> showing up in either ranger x_group table or ranger UI. >>>>>>> >>>>>>> Tried to run usersync process in debug mode with no luck. Would >>>>>>> appreciate any help. I am using 0.4 version. >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Kashif >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Kashif >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Kashif >>> >> >> >> >> -- >> Thanks, >> Kashif >> > > -- Thanks, Kashif
