| <?xml version="1.0"?> |
| <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <configuration> |
| <property> |
| <name>xasecure.audit.is.enabled</name> |
| <value>true</value> |
| </property> |
| |
| <!-- DB audit provider configuration --> |
| <property> |
| <name>xasecure.audit.destination.db</name> |
| <value>false</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.db.jdbc.driver</name> |
| <value>com.mysql.jdbc.Driver</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.db.jdbc.url</name> |
| <value>jdbc:mysql://localhost/ranger_audit</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.db.password</name> |
| <value>rangerlogger</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.db.user</name> |
| <value>rangerlogger</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.db.batch.filespool.dir</name> |
| <value>/tmp/audit/db/spool</value> |
| </property> |
| |
| |
| <!-- HDFS audit provider configuration --> |
| <property> |
| <name>xasecure.audit.destination.hdfs</name> |
| <value>false</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.hdfs.dir</name> |
| <value>hdfs://localhost:8020/ranger/audit</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> |
| <value>/tmp/audit/hdfs/spool</value> |
| </property> |
| |
| |
| <!-- |
| NOTE: These HDFS related configurations can be specified from here, or putting core-site.xml and hdfs-site.xml under classpath. |
| <property> |
| <name>xasecure.audit.destination.hdfs.config.fs.hdfs.impl</name> |
| <value>org.apache.hadoop.hdfs.DistributedFileSystem</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.hdfs.config.hadoop.security.authentication</name> |
| <value>kerberos</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.hdfs.config.dfs.namenode.kerberos.principal</name> |
| <value>nn/_HOST@EXAMPLE.COM</value> |
| </property> |
| --> |
| |
| |
| <!-- Log4j audit provider configuration --> |
| <property> |
| <name>xasecure.audit.destination.log4j</name> |
| <value>false</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.log4j.logger</name> |
| <value>ranger_audit_logger</value> |
| </property> |
| |
| <!-- Solr audit provider configuration --> |
| <property> |
| <name>xasecure.audit.destination.solr</name> |
| <value>true</value> |
| </property> |
| |
| <property> |
| <name>xasecure.audit.destination.solr.batch.filespool.dir</name> |
| <value>/tmp/audit/solr/spool</value> |
| </property> |
| |
| <!-- |
| IMPORTANT: Solr destination can be specified by either HTTP URL or Zookeeper address. |
| However, when the target Solr is Kerberized, use Zookeeper address. |
| Because LBHttpSolrClient can not use following In-memory JAAS config as it overwrites JAAS config internally. |
| --> |
| <property> |
| <name>xasecure.audit.destination.solr.urls</name> |
| <!-- by HTTP URL |
| <value>http://localhost:6083/solr/ranger_audits</value> |
| --> |
| <!-- by Zookeeper address, recommended --> |
| <value>localhost:2181/solr</value> |
| </property> |
| |
| <!-- |
| If Solr is Kerberized, following in-memory JAAS properties are also needed to authenticate NiFi Registry as a Solr client. |
| |
| Also, solr-security.json should be configured to allow this NiFi Registry user (specified by the principal) |
| to write audits to 'ranger_audits' Solr collection. See Solr documentation for how to configure solr-security.json. |
| https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html |
| |
| In case Ranger uses infra-solr resides in the same cluster managed by Ambari, you can configure required solr-security.json from: |
| Ambari -> Infra Solr -> Config -> Advanced -> Advanced infra-solr-security-json -> Ranger audit service users |
| E.g. {default_ranger_audit_users},nifi-registry |
| --> |
| <!-- Also, solr-security.json Ranger audit service users --> |
| <property> |
| <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> |
| <value>true</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.option.useKeyTab</name> |
| <value>true</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.option.storeKey</name> |
| <value>false</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.option.serviceName</name> |
| <value>solr</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.option.principal</name> |
| <value>nifi-registry@EXAMPLE.COM</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.option.keyTab</name> |
| <value>/etc/security/keytabs/nifi-registry.keytab</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.loginModuleName</name> |
| <value>com.sun.security.auth.module.Krb5LoginModule</value> |
| </property> |
| <property> |
| <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> |
| <value>required</value> |
| </property> |
| |
| </configuration> |