Configuration parameters

Knox gateway port

HTTP port for Knox

8443

Gateway whitelist

A semicolon-delimited list of regular expressions that defines the allowed endpoints for Knox dispatches and redirects

^https?:\/\/(.*|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$

KNOX_GATEWAY_MEM_OPTS

A placeholder to allow customization of the gateway server’s JVM memory settings

 — 

gateway.truststore.password.alias

Alias for the password to the truststore file holding the trusted client certificates. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the master secret will be used

gateway-truststore-password

gateway.truststore.path

Location of the truststore for client certificates to be trusted

 — 

gateway.truststore.type

Indicates the type of truststore at the path declared in gateway.truststore.path

JKS

gateway.tls.keystore.password.alias

Alias for the password to the keystore file holding the Gateway’s TLS certificate and keypair. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the master secret will be used

gateway-identity-keystore-password

gateway.tls.keystore.path

The path to the keystore file where the Gateway’s TLS certificate and keypair are stored

data/security/keystores/gateway.jks

gateway.tls.keystore.type

The type of the keystore file where the Gateway’s TLS certificate and keypair are stored

JKS

gateway.tls.key.alias

The alias for the Gateway’s TLS certificate and keypair within the default keystore or the keystore specified via gateway.tls.keystore.path

gateway-identity

key_passphrase

Passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via gateway.tis.keystore.path. If empty — password for keystore is used

 — 

gateway.tls.key.passphrase.alias

The alias for passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via gateway.tls.keystore.path. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the keystore password or the master secret will be used

gateway-identity-passphrase

ssl.exclude.protocols

Excludes a comma or pipe separated list of protocols to not accept for SSL or none

SSLv2,SSLv3,TLSv1,TLSv1.1

main.ldapRealm.contextFactory.url

The URL that represents the host and port of the LDAP server. It also includes the scheme of the protocol to use. This may be either ldap or ldaps depending on whether you are communicating with the LDAP over SSL (highly recommended)

ldap://example.com:389

main.ldapRealm.contextFactory.systemUsername

Full distinguished name (DN) including common name (CN) of an AD user account that can search for users

 — 

main.ldapRealm.contextFactory.systemPassword

Password for the account associated with main.ldapRealm.contextFactory.systemUsername

 — 

main.ldapRealm.searchBase

The distinguished name (DN) of a starting point for directory server searches

 — 

main.ldapRealm.userObjectClass

LDAP User Object Class

Person

main.ldapRealm.userSearchAttributeName

Attribute name for simplified search filter

sAMAccountName

main.ldapRealm.groupSearchBase

Search base for the groups

 — 

main.ldapRealm.groupObjectClass

LDAP Group object class

group

main.ldapRealm.groupIdAttribute

Attribute that uniquely identifies a group

cn

sessionTimeout

The session idle time in minutes

30

main.ldapRealm

Classname for Knox Shiro Realm implementation

org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm

main.ldapContextFactory

Classname for Knox Shiro LdapContextFactory implementation

org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory

main.ldapRealm.contextFactory

Context factory in the realm

$ldapContextFactory

main.ldapRealm.userSearchBase

Overrides main.ldapRealm.searchBase

 — 

main.ldapRealm.memberAttribute

Provides the group members

 — 

Master Secret

Master Secret that is used to protect the keystore, truststores, and credential stores for the gateway instance

 — 

xasecure.audit.destination.solr.batch.filespool.dir

Local disk directory for spool files

/srv/ranger/knox/audit_solr_spool

ranger.plugin.knox.policy.cache.dir

Directory to store Ranger policies once they are fetched

/srv/ranger/knox/policycache

ranger.plugin.knox.policy.pollIntervalMs

Interval to check for policy changes

30000

ranger.plugin.knox.policy.rest.client.connection.timeoutMs

Connection timeout in milliseconds

120000

ranger.plugin.knox.policy.rest.client.read.timeoutMs

Read timeout in milliseconds

30000

ranger.plugin.knox.policy.source.impl

Class used to retrieve policies

org.apache.ranger.admin.client.RangerAdminJersey2RESTClient

xasecure.policymgr.clientssl.keystore.credential.file

Path to the credential file for keystore password

/etc/knox/conf/rangerusersync.jceks

xasecure.policymgr.clientssl.truststore.credential.file

Path to the credential file for truststore password

/etc/knox/conf/rangerusersync.jceks

Password

Database user password

 — 

Password for admin user

Password for ADCM administrator

 — 

Password for keyadmin user

Password for Ranger KMS administrator

 — 

Password for rangerusersync user

Password for the user with the rights to add users and groups to Ranger Admin as part of the synchronization mechanism with LDAP/AD or UNIX

 — 

Credstore password opts

Defines whether a password is required for a credstore

password-file

ranger.db.encrypt.key.password

Password of the Master Key encryption

 — 

ranger.ks.jpa.jdbc.password

Database user’s password

 — 

ranger.ks.jpa.jdbc.url

JDBC connection URL for Ranger KMS database. Leave empty for automatic setup on the next reconfiguration

jdbc:mysql:<ranger-kms-host>:3306/rangerkms

ranger.ks.jpa.jdbc.driver

JDBC driver used for database

 — 

ranger.ks.jpa.jdbc.user

Database username used for the operations

rangerkms

ranger.ks.kerberos.keytab

Ranger KMS Kerberos keytab

 — 

ranger.ks.kerberos.principal

Ranger KMS Kerberos principal

 — 

ranger.audit.solr.urls

Used to connect Ranger Admin to Solr for audit

 — 

ranger.audit.solr.zookeepers

Used to connect Ranger Admin to Solr’s Zookeeper for audit

 — 

ranger.audit.source.type

Source for audit store. Currently, only Solr is suppported

 — 

ranger.authentication.method

Authentication methods (ACTIVE DIRECTORY, LDAP, NONE). These methods are used for login to Ranger Admin

NONE

ranger.jpa.jdbc.password

Password for the Ranger admin database

 — 

ranger.jpa.jdbc.url

JDBC connection URL for Ranger Admin database. Leave empty for automatic setup on the next reconfiguration

jdbc:mysql:<ranger-admin-host>:3306/ranger

ranger.jpa.jdbc.user

Username for Ranger admin database

rangeradmin

ranger.service.http.port

HTTP port for Ranger admin

6080

ranger.service.https.port

HTTPS port for Ranger admin

6182

ranger.service.shutdown.port

HTTP port used for graceful shutdown of the service

6085

ranger.solr.audit.user

Username to connect to Solr for audit

rangeraudit

ranger.solr.audit.user.password

Password for Solr user

 — 

ranger.admin.balancer.host

URL of a host with a load balancer

 — 

ranger.admin.balancer.port

Port on which a load balancer listens

 — 

ranger.admin.kerberos.token.valid.seconds

Time (in seconds) to validate the Kerberos token

 — 

xasecure.audit.destination.solr.batch.filespool.dir

Sets the directory where the spool files are stored when the in-memory buffer is full

/srv/ranger/kms/audit_solr_spool

ranger.service.http.port

HTTP Port for Ranger Admin

9292

ranger.service.https.port

HTTPS Port for Ranger Admin

9393

ranger.service.shutdown.port

HTTP port that will be used for the correct shutdown of the service

7085

ranger.contextName

Ranger web context

/kms

ranger.service.host

Ranger service host

localhost

ranger.plugin.kms.policy.cache.dir

Directory where Ranger policies are cached after being successfully retrieved from the source

srv/ranger/kms/policycache

ranger.usersync.port

Port for Unix authentication service

5151

ranger.usersync.role.assignment.list.delimiter

Delimiter to use while syncing roles to users, groups, and roles in Ranger Admin

&

ranger.usersync.sleeptimeinmillisbetweensynccycle

Sleep time (in milliseconds) interval between user sync operations

 — 

ranger.usersync.unix.minGroupId

Minimum Group ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

500

ranger.usersync.unix.minUserId

Minimum User ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

500

ranger.usersync.username.groupname.assignment.list.delimiter

Delimiter to use while syncing users and groups in Ranger Admin

,

ranger.usersync.users.groups.assignment.list.delimiter

Delimiter to use while syncing users and groups with specified roles in Ranger Admin. This delimiter separates the users and groups from respective roles

:

ranger.usersync.ldap.binddn

Full distinguished name (DN)

 — 

LDAP bind password

Password for the LDAP bind user

 — 

ranger.usersync.ldap.searchBase

Search base for the users and groups

rangerkms

ranger.usersync.ldap.url

LDAP server URL

ranger

ranger.usersync.ldap.user.groupnameattribute

LDAP user group name attribute

memberof,ismemberof

ranger.usersync.ldap.user.nameattribute

LDAP user name attribute

cn

ranger.usersync.ldap.user.objectclass

LDAP User Object Class

person

ranger.usersync.ldap.user.searchbase

Search base for the users

 — 

ranger.usersync.ldap.user.searchfilter

Optional additional filter constraining the users selected for syncing

 — 

ranger.usersync.ldap.user.searchscope

 — 

ranger.usersync.group.searchenabled

Whether Usersync should use ldapsearch to find groups instead of relying on user entry attributes

 — 

ranger.usersync.group.memberattributename

LDAP group member attribute name

member

ranger.usersync.group.nameattribute

LDAP group name attribute

cn

ranger.usersync.group.objectclass

LDAP Group object class

groupofnames

ranger.usersync.group.searchbase

Search base for the groups

 — 

ranger.usersync.group.searchfilter

Optional additional filter constraining the groups selected for syncing

 — 

ranger.usersync.group.searchscope

 — 

ranger.ldap.url

The LDAP server URL

 — 

ranger.ldap.bind.dn

The full distinguished name (DN) of an LDAP user to bind to

 — 

ranger.ldap.bind.password

The password for an LDAP user to bind to

 — 

ranger.ldap.base.dn

The distinguished name of the start for directory server searches

 — 

ranger.ldap.group.searchbase

The LDAP group search base

 — 

ranger.ldap.group.searchfilter

The LDAP group search filter

 — 

ranger.ldap.group.roleattribute

The LDAP group role attribute

 — 

ranger.ldap.user.searchfilter

The LDAP user search filter

 — 

ranger.ldap.user.dnpattern

The LDAP user DN

 — 

ranger.ldap.referral

ignore

ranger.ldap.ad.url

The Active Directory server URL

 — 

ranger.ldap.ad.bind.dn

The full distinguished name (DN) of an AD user to bind to

 — 

ranger.ldap.ad.bind.password

The password for an LDAP user to bind to

 — 

ranger.ldap.ad.base.dn

The Distinguished Name of the start for directory server searches

 — 

ranger.ldap.ad.domain

Server domain name (or IP address) where the ranger-usersync module is running (along with the AD Authentication Service)

 — 

ranger.ldap.ad.user.searchfilter

Search filter for Bind Authentication

sAMAccountName={0}

ranger.ldap.ad.referral

ignore

SOLR_HOME

The location for index data and configs

/srv/solr/server

SOLR_AUTH_TYPE

Specifies the authentication type for Solr

 — 

SOLR_AUTHENTICATION_OPTS

Autogenerated Solr authentication options

 — 

SOLR_AUTHENTICATION_OPTS_CUSTOM

Custom Solr authentication options

 — 

GC_TUNE

JVM parameters for Solr

-XX:-UseLargePages

SOLR_SSL_KEY_STORE:

The path to the Solr keystore file (.jks)

 — 

SOLR_SSL_KEY_STORE_PASSWORD

The password to the Solr keystore file

 — 

SOLR_SSL_TRUST_STORE

The path to the Solr truststore file (.jks)

 — 

SOLR_SSL_TRUST_STORE_PASSWORD

The password to the Solr truststore file

 — 

SOLR_SSL_NEED_CLIENT_AUTH

Defines if client authentication is enabled

false

SOLR_SSL_WANT_CLIENT_AUTH

Enables clients to authenticate (but not requires)

false

SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION

Defines whether to enable hostname verification

false

SOLR_HOST

Specifies the host name of the Solr server

 — 

LOG4J_PROPS

Path to a custom log4j configuration file

/etc/solr/conf/log4j2.xml,/etc/solr/conf/log4j2-console.xml

Custom solr-env.sh

 — 

solr.xml

The content of solr.xml

ZK_HOST

Comma-separated locations of all servers in the ensemble and the ports on which they communicate. You can put ZooKeeper chroot at the end of your ZK_HOST connection string. For example, host1.mydomain.com:2181,host2.mydomain.com:2181,host3.mydomain.com:2181/solr

 — 

Solr Server Heap Memory

Sets initial (-Xms) and maximum (-Xmx) Java heap size for Solr Server

-Xms512m -Xmx512m

xasecure.audit.solr.solr_url

A path to a Solr collection to store audit logs

 — 

xasecure.audit.solr.async.max.queue.size

The maximum size of internal queue used for storing audit logs

1

xasecure.audit.solr.async.max.flush.interval.ms

The maximum time interval between flushes to disk (in milliseconds)

100

ranger.solr.plugin.audit.excluded.users

Forbids access to Ranger audit logs for the listed users

HTTP,rangeradmin,rangerkms

ranger.plugin.solr.policy.rest.url

 — 

ranger.plugin.solr.service.name

 — 

ranger.plugin.solr.policy.cache.dir

/srv/ranger/yarn/policycache

ranger.plugin.solr.policy.pollIntervalMs

30000

ranger.plugin.solr.policy.rest.client.connection.timeoutMs

The Solr Plugin RangerRestClient connection timeout (in milliseconds)

120000

ranger.plugin.solr.policy.rest.client.read.timeoutMs

The Solr Plugin RangerRestClient read timeout (in milliseconds)

30000

xasecure.policymgr.clientssl.keystore

The path to the keystore file used by Ranger

 — 

xasecure.policymgr.clientssl.keystore.credential.file

The path to the keystore credentials file

/etc/{service-name}/conf/ranger-{service-name}.jceks

xasecure.policymgr.clientssl.truststore.credential.file

The path to the truststore credentials file

/etc/{service-name}/conf/ranger-{service-name}.jceks

xasecure.policymgr.clientssl.truststore

The path to the truststore file used by Ranger

 — 

xasecure.policymgr.clientssl.keystore.password

The password to the keystore file

 — 

xasecure.policymgr.clientssl.truststore.password

The password to the truststore file

 — 

Ranger plugin enabled

Enables the Ranger plugin

false

The ZooKeeper connection string used by other services or clusters. It is generated automatically

 — 

The location where ZooKeeper stores the in-memory database snapshots and, unless specified otherwise, the transaction log of updates to the database

/var/lib/zookeeper

The port to listen for client connections, that is the port that clients attempt to connect to

2181

The port that an embedded Jetty server listens on

5181

Enables Admin server — an embedded Jetty server that provides an HTTP interface to the four-letter-word commands

False

The basic time unit used by ZooKeeper (in milliseconds). It is used for heartbeats. The minimum session timeout will be twice the tickTime

2000

The timeouts that ZooKeeper uses to limit the length of the time for ZooKeeper servers in quorum to connect to the leader

5

Defines the maximum date skew between server and the leader

2

This property limits the number of active connections from the host, specified by IP address, to a single ZooKeeper Server

0

When enabled, ZooKeeper auto-purge feature retains the autopurge.snapRetainCount most recent snapshots and the corresponding transaction logs in the dataDir and dataLogDir respectively and deletes the rest. The minimum value is 3

3

The time interval, for which the purge task has to be triggered (in hours). Set to a positive integer (1 and above) to enable the auto-purging

24

Add key,value

 — 

sslQuorum

Enables encrypted quorum communication

False

serverCnxnFactory

Specifies ServerCnxnFactory implementation. To use TLS-based server communication, this should be set to NettyServerCnxnFactory

org.apache.zookeeper.server.NettyServerCnxnFactory

ssl.quorum.keyStore.location

Fully-qualified path to the server keystore file

 — 

ssl.quorum.keyStore.password

Password for keystore

 — 

ssl.quorum.trustStore.location

Fully-qualified path to the server truststore file

 — 

ssl.quorum.trustStore.password

Password for truststore

 — 

ssl.protocol

Protocol to be used in client TLS negotiation

TLSv1.2

ssl.quorum.protocol

Protocol to be used in quorum TLS negotiation

TLSv1.2

ZOO_LOG_DIR

The directory to store logs

/var/log/zookeeper

ZOOPIDFILE

The directory to store the ZooKeeper process ID

/var/run/zookeeper/zookeeper_server.pid

SERVER_JVMFLAGS

Used for setting different JVM parameters connected, for example, with garbage collecting

-Xmx1024m

JAVA

A path to Java

$JAVA_HOME/bin/java

ZOO_LOG4J_PROP

Used for setting the log4j logging level and defines, which log appenders to turn on. Enabling the log appender CONSOLE directs logs to stdout. Enabling ROLLINGFILE creates the zookeeper.log file, then this file gets rotated, and expired

INFO, CONSOLE, ROLLINGFILE