hadoop.kms.key.provider.uri
jceks://file@/${user.home}/kms.keystore
URI of the backing KeyProvider for the KMS.
hadoop.security.keystore.JavaKeyStoreProvider.password
none
If using the JavaKeyStoreProvider, the password for the keystore file.
hadoop.kms.cache.enable
true
Whether the KMS will act as a cache for the backing KeyProvider.
When the cache is enabled, operations like getKeyVersion, getMetadata,
and getCurrentKey will sometimes return cached data without consulting
the backing KeyProvider. Cached values are flushed when keys are deleted
or modified.
hadoop.kms.cache.timeout.ms
600000
Expiry time for the KMS key version and key metadata cache, in
milliseconds. This affects getKeyVersion and getMetadata.
hadoop.kms.current.key.cache.timeout.ms
30000
Expiry time for the KMS current key cache, in milliseconds. This
affects getCurrentKey operations.
hadoop.kms.audit.aggregation.window.ms
10000
Duplicate audit log events within the aggregation window (specified in
ms) are quashed to reduce log traffic. A single message for aggregated
events is printed at the end of the window, along with a count of the
number of aggregated events.
hadoop.kms.authentication.type
simple
Authentication type for the KMS. Can be either "simple"
or "kerberos".
hadoop.kms.authentication.kerberos.keytab
${user.home}/kms.keytab
Path to the keytab with credentials for the configured Kerberos principal.
hadoop.kms.authentication.kerberos.principal
HTTP/localhost
The Kerberos principal to use for the HTTP endpoint.
The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
hadoop.kms.authentication.kerberos.name.rules
DEFAULT
Rules used to resolve Kerberos principal names.
hadoop.kms.authentication.signer.secret.provider
random
Indicates how the secret to sign the authentication cookies will be
stored. Options are 'random' (default), 'string' and 'zookeeper'.
If using a setup with multiple KMS instances, 'zookeeper' should be used.
hadoop.kms.authentication.signer.secret.provider.zookeeper.path
/hadoop-kms/hadoop-auth-signature-secret
The Zookeeper ZNode path where the KMS instances will store and retrieve
the secret from.
hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string
#HOSTNAME#:#PORT#,...
The Zookeeper connection string, a list of hostnames and port comma
separated.
hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type
kerberos
The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab
/etc/hadoop/conf/kms.keytab
The absolute path for the Kerberos keytab with the credentials to
connect to Zookeeper.
hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal
kms/#HOSTNAME#
The Kerberos service principal used to connect to Zookeeper.