123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 |
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
- <configuration>
- <!-- KMS Backend KeyProvider -->
- <property>
- <name>hadoop.kms.key.provider.uri</name>
- <value>jceks://file@/${user.home}/kms.keystore</value>
- <description>
- URI of the backing KeyProvider for the KMS.
- </description>
- </property>
- <property>
- <name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
- <value>none</value>
- <description>
- If using the JavaKeyStoreProvider, the password for the keystore file.
- </description>
- </property>
- <!-- KMS Cache -->
- <property>
- <name>hadoop.kms.cache.enable</name>
- <value>true</value>
- <description>
- Whether the KMS will act as a cache for the backing KeyProvider.
- When the cache is enabled, operations like getKeyVersion, getMetadata,
- and getCurrentKey will sometimes return cached data without consulting
- the backing KeyProvider. Cached values are flushed when keys are deleted
- or modified.
- </description>
- </property>
- <property>
- <name>hadoop.kms.cache.timeout.ms</name>
- <value>600000</value>
- <description>
- Expiry time for the KMS key version and key metadata cache, in
- milliseconds. This affects getKeyVersion and getMetadata.
- </description>
- </property>
- <property>
- <name>hadoop.kms.current.key.cache.timeout.ms</name>
- <value>30000</value>
- <description>
- Expiry time for the KMS current key cache, in milliseconds. This
- affects getCurrentKey operations.
- </description>
- </property>
- <!-- KMS Audit -->
- <property>
- <name>hadoop.kms.audit.aggregation.window.ms</name>
- <value>10000</value>
- <description>
- Duplicate audit log events within the aggregation window (specified in
- ms) are quashed to reduce log traffic. A single message for aggregated
- events is printed at the end of the window, along with a count of the
- number of aggregated events.
- </description>
- </property>
- <!-- KMS Security -->
- <property>
- <name>hadoop.kms.authentication.type</name>
- <value>simple</value>
- <description>
- Authentication type for the KMS. Can be either "simple"
- or "kerberos".
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.kerberos.keytab</name>
- <value>${user.home}/kms.keytab</value>
- <description>
- Path to the keytab with credentials for the configured Kerberos principal.
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.kerberos.principal</name>
- <value>HTTP/localhost</value>
- <description>
- The Kerberos principal to use for the HTTP endpoint.
- The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.kerberos.name.rules</name>
- <value>DEFAULT</value>
- <description>
- Rules used to resolve Kerberos principal names.
- </description>
- </property>
- <!-- Authentication cookie signature source -->
- <property>
- <name>hadoop.kms.authentication.signer.secret.provider</name>
- <value>random</value>
- <description>
- Indicates how the secret to sign the authentication cookies will be
- stored. Options are 'random' (default), 'string' and 'zookeeper'.
- If using a setup with multiple KMS instances, 'zookeeper' should be used.
- </description>
- </property>
- <!-- Configuration for 'zookeeper' authentication cookie signature source -->
- <property>
- <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
- <value>/hadoop-kms/hadoop-auth-signature-secret</value>
- <description>
- The Zookeeper ZNode path where the KMS instances will store and retrieve
- the secret from.
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
- <value>#HOSTNAME#:#PORT#,...</value>
- <description>
- The Zookeeper connection string, a list of hostnames and port comma
- separated.
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
- <value>kerberos</value>
- <description>
- The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
- <value>/etc/hadoop/conf/kms.keytab</value>
- <description>
- The absolute path for the Kerberos keytab with the credentials to
- connect to Zookeeper.
- </description>
- </property>
- <property>
- <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
- <value>kms/#HOSTNAME#</value>
- <description>
- The Kerberos service principal used to connect to Zookeeper.
- </description>
- </property>
- </configuration>
|