Google Git
Sign in
apache / nifi-registry / 8a1901e79b8bb6ef310a9c7d8bf59a3e34b41d16 / . / nifi-registry-extensions / nifi-registry-ranger / nifi-registry-ranger-assembly / conf / ranger-nifi-registry-audit.xml
blob: e34ef8873d1d9b14c8191bcdc0439078132505da [file] [log] [blame]
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<configuration>
<property>
<name>xasecure.audit.is.enabled</name>
<value>true</value>
</property>
<!-- DB audit provider configuration -->
<property>
<name>xasecure.audit.destination.db</name>
<value>false</value>
</property>
<property>
<name>xasecure.audit.destination.db.jdbc.driver</name>
<value>com.mysql.jdbc.Driver</value>
</property>
<property>
<name>xasecure.audit.destination.db.jdbc.url</name>
<value>jdbc:mysql://localhost/ranger_audit</value>
</property>
<property>
<name>xasecure.audit.destination.db.password</name>
<value>rangerlogger</value>
</property>
<property>
<name>xasecure.audit.destination.db.user</name>
<value>rangerlogger</value>
</property>
<property>
<name>xasecure.audit.destination.db.batch.filespool.dir</name>
<value>/tmp/audit/db/spool</value>
</property>
<!-- HDFS audit provider configuration -->
<property>
<name>xasecure.audit.destination.hdfs</name>
<value>false</value>
</property>
<property>
<name>xasecure.audit.destination.hdfs.dir</name>
<value>hdfs://localhost:8020/ranger/audit</value>
</property>
<property>
<name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
<value>/tmp/audit/hdfs/spool</value>
</property>
<!--
NOTE: These HDFS related configurations can be specified from here, or putting core-site.xml and hdfs-site.xml under classpath.
<property>
<name>xasecure.audit.destination.hdfs.config.fs.hdfs.impl</name>
<value>org.apache.hadoop.hdfs.DistributedFileSystem</value>
</property>
<property>
<name>xasecure.audit.destination.hdfs.config.hadoop.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>xasecure.audit.destination.hdfs.config.dfs.namenode.kerberos.principal</name>
<value>nn/_HOST@EXAMPLE.COM</value>
</property>
-->
<!-- Log4j audit provider configuration -->
<property>
<name>xasecure.audit.destination.log4j</name>
<value>false</value>
</property>
<property>
<name>xasecure.audit.destination.log4j.logger</name>
<value>ranger_audit_logger</value>
</property>
<!-- Solr audit provider configuration -->
<property>
<name>xasecure.audit.destination.solr</name>
<value>true</value>
</property>
<property>
<name>xasecure.audit.destination.solr.batch.filespool.dir</name>
<value>/tmp/audit/solr/spool</value>
</property>
<!--
IMPORTANT: Solr destination can be specified by either HTTP URL or Zookeeper address.
However, when the target Solr is Kerberized, use Zookeeper address.
Because LBHttpSolrClient can not use following In-memory JAAS config as it overwrites JAAS config internally.
-->
<property>
<name>xasecure.audit.destination.solr.urls</name>
<!-- by HTTP URL
<value>http://localhost:6083/solr/ranger_audits</value>
-->
<!-- by Zookeeper address, recommended -->
<value>localhost:2181/solr</value>
</property>
<!--
If Solr is Kerberized, following in-memory JAAS properties are also needed to authenticate NiFi Registry as a Solr client.
Also, solr-security.json should be configured to allow this NiFi Registry user (specified by the principal)
to write audits to 'ranger_audits' Solr collection. See Solr documentation for how to configure solr-security.json.
https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html
In case Ranger uses infra-solr resides in the same cluster managed by Ambari, you can configure required solr-security.json from:
Ambari -> Infra Solr -> Config -> Advanced -> Advanced infra-solr-security-json -> Ranger audit service users
E.g. {default_ranger_audit_users},nifi-registry
-->
<!-- Also, solr-security.json Ranger audit service users -->
<property>
<name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name>
<value>true</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.useKeyTab</name>
<value>true</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.storeKey</name>
<value>false</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.serviceName</name>
<value>solr</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.principal</name>
<value>nifi-registry@EXAMPLE.COM</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.option.keyTab</name>
<value>/etc/security/keytabs/nifi-registry.keytab</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.loginModuleName</name>
<value>com.sun.security.auth.module.Krb5LoginModule</value>
</property>
<property>
<name>xasecure.audit.jaas.Client.loginModuleControlFlag</name>
<value>required</value>
</property>
</configuration>