mirror of https://github.com/apache/nifi.git
175 lines
5.5 KiB
XML
175 lines
5.5 KiB
XML
<?xml version="1.0"?>
|
|
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
contributor license agreements. See the NOTICE file distributed with
|
|
this work for additional information regarding copyright ownership.
|
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
(the "License"); you may not use this file except in compliance with
|
|
the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
<configuration>
|
|
<property>
|
|
<name>xasecure.audit.is.enabled</name>
|
|
<value>true</value>
|
|
</property>
|
|
|
|
<!-- DB audit provider configuration -->
|
|
<property>
|
|
<name>xasecure.audit.destination.db</name>
|
|
<value>false</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.db.jdbc.driver</name>
|
|
<value>com.mysql.jdbc.Driver</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.db.jdbc.url</name>
|
|
<value>jdbc:mysql://localhost/ranger_audit</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.db.password</name>
|
|
<value>rangerlogger</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.db.user</name>
|
|
<value>rangerlogger</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.db.batch.filespool.dir</name>
|
|
<value>/tmp/audit/db/spool</value>
|
|
</property>
|
|
|
|
|
|
<!-- HDFS audit provider configuration -->
|
|
<property>
|
|
<name>xasecure.audit.destination.hdfs</name>
|
|
<value>false</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.hdfs.dir</name>
|
|
<value>hdfs://localhost:8020/ranger/audit</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
|
|
<value>/tmp/audit/hdfs/spool</value>
|
|
</property>
|
|
|
|
|
|
<!--
|
|
NOTE: These HDFS related configurations can be specified from here, or putting core-site.xml and hdfs-site.xml under classpath.
|
|
<property>
|
|
<name>xasecure.audit.destination.hdfs.config.fs.hdfs.impl</name>
|
|
<value>org.apache.hadoop.hdfs.DistributedFileSystem</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.hdfs.config.hadoop.security.authentication</name>
|
|
<value>kerberos</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.hdfs.config.dfs.namenode.kerberos.principal</name>
|
|
<value>nn/_HOST@EXAMPLE.COM</value>
|
|
</property>
|
|
-->
|
|
|
|
|
|
<!-- Log4j audit provider configuration -->
|
|
<property>
|
|
<name>xasecure.audit.destination.log4j</name>
|
|
<value>false</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.log4j.logger</name>
|
|
<value>ranger_audit_logger</value>
|
|
</property>
|
|
|
|
<!-- Solr audit provider configuration -->
|
|
<property>
|
|
<name>xasecure.audit.destination.solr</name>
|
|
<value>true</value>
|
|
</property>
|
|
|
|
<property>
|
|
<name>xasecure.audit.destination.solr.batch.filespool.dir</name>
|
|
<value>/tmp/audit/solr/spool</value>
|
|
</property>
|
|
|
|
<!--
|
|
IMPORTANT: Solr destination can be specified by either HTTP URL or Zookeeper address.
|
|
However, when the target Solr is Kerberized, use Zookeeper address.
|
|
Because LBHttpSolrClient can not use following In-memory JAAS config as it overwrites JAAS config internally.
|
|
-->
|
|
<property>
|
|
<name>xasecure.audit.destination.solr.urls</name>
|
|
<!-- by HTTP URL
|
|
<value>http://localhost:6083/solr/ranger_audits</value>
|
|
-->
|
|
<!-- by Zookeeper address, recommended -->
|
|
<value>localhost:2181/solr</value>
|
|
</property>
|
|
|
|
<!--
|
|
If Solr is Kerberized, following in-memory JAAS properties are also needed to authenticate NiFi Registry as a Solr client.
|
|
|
|
Also, solr-security.json should be configured to allow this NiFi Registry user (specified by the principal)
|
|
to write audits to 'ranger_audits' Solr collection. See Solr documentation for how to configure solr-security.json.
|
|
https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html
|
|
|
|
In case Ranger uses infra-solr resides in the same cluster managed by Ambari, you can configure required solr-security.json from:
|
|
Ambari -> Infra Solr -> Config -> Advanced -> Advanced infra-solr-security-json -> Ranger audit service users
|
|
E.g. {default_ranger_audit_users},nifi-registry
|
|
-->
|
|
<!-- Also, solr-security.json Ranger audit service users -->
|
|
<property>
|
|
<name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name>
|
|
<value>true</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.option.useKeyTab</name>
|
|
<value>true</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.option.storeKey</name>
|
|
<value>false</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.option.serviceName</name>
|
|
<value>solr</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.option.principal</name>
|
|
<value>nifi-registry@EXAMPLE.COM</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.option.keyTab</name>
|
|
<value>/etc/security/keytabs/nifi-registry.keytab</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.loginModuleName</name>
|
|
<value>com.sun.security.auth.module.Krb5LoginModule</value>
|
|
</property>
|
|
<property>
|
|
<name>xasecure.audit.jaas.Client.loginModuleControlFlag</name>
|
|
<value>required</value>
|
|
</property>
|
|
|
|
</configuration>
|