Hi Bosco, I have created jira RANGER-732 <https://issues.apache.org/jira/browse/RANGER-732> for this issue. I don't have much bandwidth right now to work on this, but would be very helpful if someone can work on this.
Thanks, Kashif On Fri, Nov 13, 2015 at 12:51 PM, Don Bosco Durai <bo...@apache.org> wrote: > Kashif > > I don’t think Ranger currently has support for writing policy update > audits to file. Would you be able to create a JIRA for this? I think, this > should be straight forward to implement. In most Hadoop projects, they use > log4j appender to write to file. We could do the same. Hopefully, you or > someone can volunteer to implement it. > > FYI, the audit logs done by the plugin already supports Log4J as a > destination. But it uses a different framework and RangerAdmin doesn’t use > it. > > Thanks > > Bosco > > > From: Kashif Khan <rafz...@gmail.com> > Reply-To: <user@ranger.incubator.apache.org> > Date: Thursday, November 12, 2015 at 9:37 PM > To: Ramesh Mani <rm...@hortonworks.com> > > Cc: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > Subject: Re: Ranger LDAP Group sync issue > > You are right Ramesh. Is there any setting that can enable logging this > information in the file as well. > > Thanks, > Kashif > > On Fri, Nov 13, 2015 at 12:31 AM, Ramesh Mani <rm...@hortonworks.com> > wrote: > >> I think Kashif is asking for the policy change logs which is in >> ranger_audit db. Option is to get it querying table. >> >> From: Arvind S <arvind18...@gmail.com> >> Reply-To: "user@ranger.incubator.apache.org" < >> user@ranger.incubator.apache.org> >> Date: Thursday, November 12, 2015 at 9:28 PM >> To: Kashif Khan <rafz...@gmail.com> >> Cc: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> >> Subject: Re: Ranger LDAP Group sync issue >> >> you want the same information in the DB table in file format ? or >> something more that that ..like debug? >> for 1st option .. in ranger 0.5 there is an option to enable logging to >> HDFS also .. not sure if its there in 0.4 .. >> if you want the 2nd then i don't have an answer right-away .. >> >> >> >> *Cheers !!* >> Arvind >> >> On Fri, Nov 13, 2015 at 8:10 AM, Kashif Khan <rafz...@gmail.com> wrote: >> >>> Hi Arvind, >>> >>> Deleting all users and groups and pulling them again didn't help. Still >>> same issue. Looks like upgrade is the only option. >>> >>> I have another question, where can I check the logs for all ranger >>> policy changes logs. I know it is written in ranger_audit db but is it >>> possible to log that in a log file. >>> >>> Thanks, >>> Kashif >>> >>> >>> >>> >>> >>> On Wed, Nov 11, 2015 at 11:14 PM, Kashif Khan <rafz...@gmail.com> wrote: >>> >>>> Thanks Arvind, I will try that tomorrow and will see if it get fixed. >>>> >>>> On Wed, Nov 11, 2015 at 11:10 PM, Arvind S <arvind18...@gmail.com> >>>> wrote: >>>> >>>>> the only issue i can see is that the member group list has some groups >>>>> with space in them "ho proxy" .. "nro proxy" .. >>>>> options >>>>> > can test by removing user member ship from groups with space in the >>>>> names ..then check sync >>>>> > as Ramesh said you can try to move to a newer version .. >>>>> >>>>> this is a long shot but did work for me once when i was testing >>>>> initially with lots of changes being done on config ..and ranger had >>>>> pulled >>>>> incomplete group/user list in the 1st attempt .. >>>>> > stop ranger user sync .. >>>>> > delete all the groups and user using ranger REST API >>>>> .... >>>>> https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java >>>>> >>>>> .... group delete e.g. >>>>> curl -i -X DELETE --header "AcceptDELETEplication/json" -H >>>>> "Content-Type: application/json" -u admin:admin >>>>> http://<ranger-ip/fqdn>:6080/service/xusers/groups/{<comma seperated >>>>> group id's>} >>>>> .... user delete e.g. >>>>> curl -i -X DELETE --header "Accept:application/json" -H >>>>> "Content-Type: application/json" -u admin:admin >>>>> http://<ranger-ip/fqdn>:6080/service/xusers/users/{<comma seperated >>>>> user id's>} >>>>> >>>>> > Re-start ranger admin and start ranger user sync .. >>>>> >>>>> >>>>> >>>>> *Cheers !!* >>>>> Arvind >>>>> >>>>> On Tue, Nov 10, 2015 at 11:18 PM, Kashif Khan <rafz...@gmail.com> >>>>> wrote: >>>>> >>>>>> Thanks for your response Arvind. Here is the log. The group name I >>>>>> have issue with is "*PRV-BUS-DataScientist-DISABILITY*" that is not >>>>>> showing in Ranger. However, the other group " >>>>>> *prv-bus-datascientist-life*" that was added same day and being >>>>>> pulled in ranger successfully. >>>>>> >>>>>> >>>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - longGroupName: >>>>>> CN=*PRV-BUS-DataScientist-DISABILITY*,OU=Security-Groups,DC=domain_name,DC=com, >>>>>> groupName: PRV-BUS-DataScientist-DISABILITY >>>>>> >>>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - Updating user count: 57, userName: xyza1b, groupList: >>>>>> [domain_name-w7-admin-wkstn-users, wireless_production, >>>>>> *prv-bus-datascientist-life*, ho proxy, vpnusers, >>>>>> domain_name-w7-std-user-g, nro proxy, prv-bus-datascientist-disability, >>>>>> domain_name-w7-std-user-fr-g, wireless_location] >>>>>> >>>>>> 10 Nov 2015 12:04:40 DEBUG PolicyMgrUserGroupBuilder >>>>>> [UnixUserSyncThread] - INFO: >>>>>> addPMXAGroupToUser(xyza1b,prv-bus-datascientist-disability) >>>>>> >>>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - longGroupName: >>>>>> *CN=PRV-BUS-DataScientist-DISABILITY*,OU=Security-Groups,DC=domain_name,DC=com, >>>>>> groupName: PRV-BUS-DataScientist-DISABILITY >>>>>> >>>>>> 10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - Updating user count: 59, userName: xyza2b, groupList: >>>>>> [domain_name-w7-admin-wkstn-users, wireless_production, >>>>>> prv-bus-datascientist-life, ho proxy, vpnusers, >>>>>> domain_name-w7-std-user-g, >>>>>> nro proxy, prv-bus-datascientist-disability, >>>>>> domain_name-w7-std-user-fr-g, >>>>>> wireless_location] >>>>>> >>>>>> 10 Nov 2015 12:04:40 DEBUG PolicyMgrUserGroupBuilder >>>>>> [UnixUserSyncThread] - INFO: >>>>>> addPMXAGroupToUser(xyza2b,prv-bus-datascientist-disability) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Nov 10, 2015 at 1:52 AM, Arvind S <arvind18...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> can you post the log section where you see the groups and users >>>>>>> being pulled .. >>>>>>> i have had issues when using AD (internally setting were using LDAP >>>>>>> in AD) as user/group source and user/ group names had spaces or dots in >>>>>>> them. >>>>>>> >>>>>>> If possible update to ranger .5 it has some better handling. >>>>>>> >>>>>>> >>>>>>> *Cheers !!* >>>>>>> Arvind >>>>>>> >>>>>>> On Tue, Nov 10, 2015 at 9:34 AM, Kashif Khan <rafz...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I am trying to pull one LDAP group into ranger but it is not being >>>>>>>> added. Looking at usersync.log, the group is being pulled and users are >>>>>>>> added to that group, but I am not able to figure out why group is not >>>>>>>> showing up in either ranger x_group table or ranger UI. >>>>>>>> >>>>>>>> Tried to run usersync process in debug mode with no luck. Would >>>>>>>> appreciate any help. I am using 0.4 version. >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Kashif >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Kashif >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Kashif >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Kashif >>> >> >> > > > -- > Thanks, > Kashif > > -- Thanks, Kashif
