In E-MapReduce (EMR) V3.27.0 and later, you can view audit logs on the Ranger web UI. This topic describes how to view audit logs on the Ranger web UI in EMR V4.9.0, in which Ranger 2.1.0 is used.

Prerequisites

An EMR cluster is created, and Ranger is selected from the optional services when you create the cluster. For more information, see Create a cluster.

Limits

You can view audit logs on the Ranger web UI only in EMR V3.27.0 and later.

Procedure

  1. Access the Ranger web UI. For more information, see Access the Ranger UI.
  2. In the top navigation bar of the Ranger web UI, click Audit.
    Audit
    The Access tab is displayed by default. You can view the following logs on the Ranger web UI:
    • Access logs
      On the Access tab, you can view the access information of the components that are connected to Ranger. Access
      The following table describes the parameters.
      Parameter Description
      Policy ID The ID of the Ranger policy that is triggered by the access.
      Policy Version The version of the Ranger policy that is triggered by the access.
      Event Time The time at which the access occurs.
      User The user who accesses a service.
      Service The name and type of the Ranger service that is connected to the accessed service.
      Resource The information about the accessed data, such as the columns of a table in a Hive database and HDFS paths.

      You can click the Query icon to view the query information.

      Access Type The access type.
      Permission The permissions that are required to support the access.
      Result The access result.
      Access Enforcer The enforcer that is used for access control. Valid values: ranger-acl and hadoop-acl. ranger-acl indicates that Ranger is used for access control, and hadoop-acl indicates that HDFS is used for access control.
      Note hadoop-acl is prioritized over ranger-acl. When HDFS authenticates a user, HDFS first checks the access control list (ACL) configured for HDFS. If an access control rule denies the access, HDFS checks the ACL configured for Ranger. You can determine whether the access is allowed or denied by hadoop-acl or ranger-acl.
      Agent Host Name The hostname of the Ranger plug-in that is used to support the access.
      Client IP The IP address of the client that sends the access request.
    • Admin logs
      Click the Admin tab to view the access information of the components that are connected to Ranger. Admin
    • Logon session logs
      Click the Login Sessions tab to view the logs that record logons to Ranger Admin. Login Sessions
    • Plug-in logs
      Click the Plugins tab to view the interaction information between Ranger plug-ins and Ranger Admin. The time when Ranger plug-ins synchronize policy information from Ranger Admin is displayed on the Plugins tab. Plugins
    • Plug-in status logs
      Click the Plugin Status tab to view the status of each Ranger plug-in. Plugin Status
      The following table describes the parameters.
      Parameter Description
      Service Name The name of the Ranger service that is connected to a Ranger plug-in.
      Service Type The category of the Ranger service that is connected to a Ranger plug-in.
      Host Name The hostname of the agent that uses a Ranger plug-in.
      Plugin IP The IP address of the agent that uses a Ranger plug-in.
      Last Update The latest time a policy is updated.
      Download The latest time a Ranger plug-in downloads a policy.
      Active The latest time a Ranger plug-in goes into the active state.
    • User synchronization logs
      Click the User Sync tab to view the user synchronization logs of the Ranger Usersync service. User Sync
      The following table describes the parameters.
      Parameter Description
      Sync Source The source of the synchronized user. Valid values: Unix and LDAP/AD.
      Number Of New The numbers of added users and user groups.
      Number Of Modified The numbers of modified users and user groups.
      Event Time The time at which the user is synchronized. In most cases, Unix users are synchronized at 5-minute intervals, and LDAP/AD users are synchronized at 1-hour intervals.
      Sync Details The details of a synchronization.