您最多选择25个主题
主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
173 行
5.4 KiB
173 行
5.4 KiB
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
<configuration>
|
|
|
|
<!-- KMS Backend KeyProvider -->
|
|
|
|
<property>
|
|
<name>hadoop.kms.key.provider.uri</name>
|
|
<value>jceks://file@/${user.home}/kms.keystore</value>
|
|
<description>
|
|
URI of the backing KeyProvider for the KMS.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.security.keystore.java-keystore-provider.password-file</name>
|
|
<value>kms.keystore.password</value>
|
|
<description>
|
|
If using the JavaKeyStoreProvider, the file name for the keystore password.
|
|
</description>
|
|
</property>
|
|
|
|
<!-- KMS Cache -->
|
|
|
|
<property>
|
|
<name>hadoop.kms.cache.enable</name>
|
|
<value>true</value>
|
|
<description>
|
|
Whether the KMS will act as a cache for the backing KeyProvider.
|
|
When the cache is enabled, operations like getKeyVersion, getMetadata,
|
|
and getCurrentKey will sometimes return cached data without consulting
|
|
the backing KeyProvider. Cached values are flushed when keys are deleted
|
|
or modified.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.cache.timeout.ms</name>
|
|
<value>600000</value>
|
|
<description>
|
|
Expiry time for the KMS key version and key metadata cache, in
|
|
milliseconds. This affects getKeyVersion and getMetadata.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.current.key.cache.timeout.ms</name>
|
|
<value>30000</value>
|
|
<description>
|
|
Expiry time for the KMS current key cache, in milliseconds. This
|
|
affects getCurrentKey operations.
|
|
</description>
|
|
</property>
|
|
|
|
<!-- KMS Audit -->
|
|
|
|
<property>
|
|
<name>hadoop.kms.audit.aggregation.window.ms</name>
|
|
<value>10000</value>
|
|
<description>
|
|
Duplicate audit log events within the aggregation window (specified in
|
|
ms) are quashed to reduce log traffic. A single message for aggregated
|
|
events is printed at the end of the window, along with a count of the
|
|
number of aggregated events.
|
|
</description>
|
|
</property>
|
|
|
|
<!-- KMS Security -->
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.type</name>
|
|
<value>simple</value>
|
|
<description>
|
|
Authentication type for the KMS. Can be either "simple"
|
|
or "kerberos".
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.kerberos.keytab</name>
|
|
<value>${user.home}/kms.keytab</value>
|
|
<description>
|
|
Path to the keytab with credentials for the configured Kerberos principal.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.kerberos.principal</name>
|
|
<value>HTTP/localhost</value>
|
|
<description>
|
|
The Kerberos principal to use for the HTTP endpoint.
|
|
The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.kerberos.name.rules</name>
|
|
<value>DEFAULT</value>
|
|
<description>
|
|
Rules used to resolve Kerberos principal names.
|
|
</description>
|
|
</property>
|
|
|
|
<!-- Authentication cookie signature source -->
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.signer.secret.provider</name>
|
|
<value>random</value>
|
|
<description>
|
|
Indicates how the secret to sign the authentication cookies will be
|
|
stored. Options are 'random' (default), 'string' and 'zookeeper'.
|
|
If using a setup with multiple KMS instances, 'zookeeper' should be used.
|
|
</description>
|
|
</property>
|
|
|
|
<!-- Configuration for 'zookeeper' authentication cookie signature source -->
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
|
|
<value>/hadoop-kms/hadoop-auth-signature-secret</value>
|
|
<description>
|
|
The Zookeeper ZNode path where the KMS instances will store and retrieve
|
|
the secret from.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
|
|
<value>#HOSTNAME#:#PORT#,...</value>
|
|
<description>
|
|
The Zookeeper connection string, a list of hostnames and port comma
|
|
separated.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
|
|
<value>none</value>
|
|
<description>
|
|
The Zookeeper authentication type, 'none' (default) or 'sasl' (Kerberos).
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
|
|
<value>/etc/hadoop/conf/kms.keytab</value>
|
|
<description>
|
|
The absolute path for the Kerberos keytab with the credentials to
|
|
connect to Zookeeper.
|
|
</description>
|
|
</property>
|
|
|
|
<property>
|
|
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
|
|
<value>kms/#HOSTNAME#</value>
|
|
<description>
|
|
The Kerberos service principal used to connect to Zookeeper.
|
|
</description>
|
|
</property>
|
|
|
|
</configuration>
|