Configuration parameters

This topic describes the parameters that can be configured for ADPS services via ADCM. To read about the configuring process, refer to the relevant articles: Online installation, Offline installation.

NOTE
  • Some of the parameters become visible in the ADCM UI after the Advanced flag has been set.

  • The parameters that are set in the Custom group will overwrite the existing parameters even if they are read-only.

Knox

gateway-site.xml
Parameter Description Default value

Knox gateway port

HTTP port for Knox

8443

Gateway whitelist

A semicolon-delimited list of regular expressions that defines the allowed endpoints for Knox dispatches and redirects

^https?:\/\/(.*|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$

knox-env.sh
Parameter Description Default value

KNOX_GATEWAY_MEM_OPTS

A placeholder to allow customization of the gateway server’s JVM memory settings

 — 

KNOX_GATEWAY_LOG_DIR

Indicates where the gateway server should write its own error/standard output messages to

/var/log/knox

Configure SSL Knox Gateway
Parameter Description Default value

gateway.truststore.password.alias

Alias for the password to the truststore file holding the trusted client certificates. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the master secret will be used

gateway-truststore-password

gateway.truststore.path

Location of the truststore for client certificates to be trusted

 — 

gateway.truststore.type

Indicates the type of truststore at the path declared in gateway.truststore.path

JKS

gateway.tls.keystore.password.alias

Alias for the password to the keystore file holding the Gateway’s TLS certificate and keypair. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the master secret will be used

gateway-identity-keystore-password

gateway.tls.keystore.path

The path to the keystore file where the Gateway’s TLS certificate and keypair are stored

 — 

gateway.tls.keystore.type

The type of the keystore file where the Gateway’s TLS certificate and keypair are stored

JKS

gateway.tls.key.alias

The alias for the Gateway’s TLS certificate and keypair within the default keystore or the keystore specified via gateway.tls.keystore.path

gateway-identity

key_passphrase

Passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via gateway.tis.keystore.path. If empty — password for keystore is used

 — 

gateway.tls.key.passphrase.alias

The alias for passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via gateway.tls.keystore.path. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the keystore password or the master secret will be used

gateway-identity-passphrase

ssl.exclude.protocols

Excludes a comma or pipe separated list of protocols to not accept for SSL or none

SSLv2,SSLv3,TLSv1,TLSv1.1

External LDAP authentication
Parameter Description Default value

main.ldapRealm.contextFactory.url

The URL that represents the host and port of the LDAP server. It also includes the scheme of the protocol to use. This may be either ldap or ldaps depending on whether you are communicating with the LDAP over SSL (highly recommended)

ldap://example.com:389

main.ldapRealm.contextFactory.systemUsername

Full distinguished name (DN) including common name (CN) of an AD user account that can search for users

 — 

main.ldapRealm.contextFactory.systemPassword

Password for the account associated with main.ldapRealm.contextFactory.systemUsername

 — 

main.ldapRealm.searchBase

The distinguished name (DN) of a starting point for directory server searches

 — 

main.ldapRealm.userObjectClass

LDAP User Object Class

Person

main.ldapRealm.userSearchAttributeName

Attribute name for simplified search filter

sAMAccountName

main.ldapRealm.groupSearchBase

Search base for the groups

 — 

main.ldapRealm.groupObjectClass

LDAP Group object class

group

main.ldapRealm.groupIdAttribute

Attribute that uniquely identifies a group

sAMAccountName

sessionTimeout

The session idle time in minutes

30

main.ldapRealm

Classname for Knox Shiro Realm implementation

org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm

main.ldapContextFactory

Classname for Knox Shiro LdapContextFactory implementation

org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory

main.ldapRealm.contextFactory

Context factory in the realm

$ldapContextFactory

main.ldapRealm.userSearchBase

Overrides main.ldapRealm.searchBase

 — 

main.ldapRealm.memberAttribute

Provides the group members

member

security
Parameter Description Default value

Master Secret

Master Secret that is used to protect the keystore, truststores, and credential stores for the gateway instance

 — 

Ranger plugin credstore password

Ranger plugin credential provider password

 — 

ranger-knox-audit.xml
Parameter Description Default value

xasecure.audit.destination.solr.batch.filespool.dir

Local disk directory for spool files

/srv/ranger/knox/audit_solr_spool

ranger-knox-security.xml
Parameter Description Default value

ranger.plugin.knox.policy.cache.dir

Directory to store Ranger policies once they are fetched

/srv/ranger/knox/policycache

ranger.plugin.knox.policy.pollIntervalMs

Interval to check for policy changes

30000

ranger.plugin.knox.policy.rest.client.connection.timeoutMs

Connection timeout in milliseconds

120000

ranger.plugin.knox.policy.rest.client.read.timeoutMs

Read timeout in milliseconds

30000

ranger.plugin.knox.policy.source.impl

Class used to retrieve policies

org.apache.ranger.admin.client.RangerAdminJersey2RESTClient

ranger-knox-policymgr-ssl.xml
Parameter Description Default value

xasecure.policymgr.clientssl.keystore

The location of the keystore file that was created previously

 — 

xasecure.policymgr.clientssl.keystore.credential.file

Path to the credential file for keystore password

/etc/knox/conf/rangerusersync.jceks

xasecure.policymgr.clientssl.truststore.credential.file

Path to the credential file for truststore password

/etc/knox/conf/rangerusersync.jceks

xasecure.policymgr.clientssl.truststore

The location of the truststore file that was created previously

 — 

xasecure.policymgr.clientssl.keystore.password

The password for the Ranger KMS JKS keystore file

 — 

xasecure.policymgr.clientssl.truststore.password

The password for the Knox Server JKS truststore file

 — 

Other
Parameter Description Default value

Custom gateway-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the gateway-site.xml configuration file

 — 

Custom knox-env.sh

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the knox-env.sh configuration file

 — 

Custom ranger-knox-audit.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-audit.xml configuration file

 — 

Custom ranger-knox-security.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-security.xml configuration file

 — 

Custom ranger-knox-policymgr-ssl.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-policymgr-ssl.xml configuration file

 — 

 
The Knox Gateway component contains the logging settings described below.

gateway-log4j2.xml template
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<Configuration>
    <Properties>
        <Property name="app.log.dir">${env:KNOX_GATEWAY_LOG_DIR}</Property>
        <Property name="app.log.file">${sys:launcher.name}.log</Property>
        <Property name="app.audit.file">${sys:launcher.name}-audit.log</Property>
    </Properties>

    <Appenders>
        <RollingFile name="auditfile" fileName="${app.log.dir}/${app.audit.file}" filePattern="${app.log.dir}/${app.audit.file}.%d{yyyy-MM-dd}">
            <AuditLayout />
            <TimeBasedTriggeringPolicy />
        </RollingFile>
        <Console name="stdout" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n" />
        </Console>
        <RollingFile name="drfa" fileName="${app.log.dir}/${app.log.file}" filePattern="${app.log.dir}/${app.log.file}.%d{yyyy-MM-dd}">
            <!-- Same as ISO8601 format but without the 'T' (log4j1 compatible) -->
            <PatternLayout pattern="%d{yyyy-MM-dd' 'HH:mm:ss,SSS} %X{trace_id} %-5p %c{2} (%F:%M(%L)) - %m%n" />
            <TimeBasedTriggeringPolicy />
        </RollingFile>
<!--        <RollingFile name="httpclient" fileName="${app.log.dir}/${launcher.name}-http-client.log" filePattern="${app.log.dir}/${launcher.name}-http-client.log.%d{yyyy-MM-dd}">-->
<!--            <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!--            <TimeBasedTriggeringPolicy />-->
<!--        </RollingFile>-->
<!--        <RollingFile name="httpaccess" fileName="${app.log.dir}/${launcher.name}-http-access.log" filePattern="${app.log.dir}/${launcher.name}-http-access.log.%d{yyyy-MM-dd}">-->
<!--            <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!--            <TimeBasedTriggeringPolicy />-->
<!--        </RollingFile>-->
<!--        <RollingFile name="httpserver" fileName="${app.log.dir}/${launcher.name}-http-server.log" filePattern="${app.log.dir}/${launcher.name}-http-server.log.%d{yyyy-MM-dd}">-->
<!--            <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!--            <TimeBasedTriggeringPolicy />-->
<!--        </RollingFile>-->
    </Appenders>
    <Loggers>
        <Logger name="audit" level="INFO">
            <AppenderRef ref="auditfile" />
        </Logger>
        <Logger name="org.apache.knox.gateway" level="INFO" />
        <Root level="ERROR">
            <AppenderRef ref="drfa" />
        </Root>
<!--        <Logger name="org.apache.knox.gateway.websockets" level="DEBUG" />-->
<!--        <Logger name="org.springframework" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.http.request.body" level="OFF" />-->
<!--        <Logger name="org.apache.knox.gateway.http" level="TRACE">-->
<!--            <AppenderRef ref="httpserver" />-->
<!--        </Logger>-->
<!--        <Logger name="org.apache.shiro" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.http.response.body" level="OFF" />-->
<!--        <Logger name="org.apache.http.client" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.http.request.headers" level="OFF" />-->
<!--        <Logger name="org.apache.http.wire" level="DEBUG">-->
<!--            <AppenderRef ref="httpclient" />-->
<!--        </Logger>-->
<!--        <Logger name="org.apache.knox.gateway.http.response.headers" level="OFF" />-->
<!--        <Logger name="net.sf.ehcache" level="DEBUG" />-->
<!--        <Logger name="org.apache.http" level="DEBUG" />-->
<!--        <Logger name="org.apache.http.headers" level="DEBUG" />-->
<!--        <Logger name="org.apache.shiro.util.ThreadContext" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway" level="DEBUG" />-->
<!--        <Logger name="org.eclipse.jetty" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.access" level="TRACE">-->
<!--            <AppenderRef ref="httpaccess" />-->
<!--        </Logger>-->
    </Loggers>
</Configuration>
knoxshell-log4j2.xml
<?xml version="1.0" encoding="utf-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<?xml version="1.0" encoding="utf-8"?>
<Configuration>
    <Properties>
        <Property name="app.log.dir">${env:KNOX_GATEWAY_LOG_DIR}</Property>
        <Property name="app.log.file">${sys:launcher.name}.log</Property>
    </Properties>
    <Appenders>
        <Console name="stdout" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n" />
        </Console>
        <RollingFile name="drfa" fileName="${app.log.dir}/${app.log.file}" filePattern="${app.log.dir}/${app.log.file}.%d{yyyy-MM-dd}">
            <PatternLayout pattern="%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n" />
            <TimeBasedTriggeringPolicy />
        </RollingFile>
    </Appenders>
    <Loggers>
        <Logger name="org.apache.http.impl.client" level="INFO" />
        <Logger name="org.apache.http.client" level="INFO" />
        <Logger name="org.apache.http.impl.conn" level="INFO" />
        <Root level="ERROR">
            <AppenderRef ref="drfa" />
        </Root>
    </Loggers>
</Configuration>

MariaDB

root user
Parameter Description Default value

Password

Database user password

 — 

 
The MariaDB Master Server component has the configuration parameters of its own, which are described below.

Enable custom ulimits
[Manager]
DefaultLimitCPU=
DefaultLimitFSIZE=
DefaultLimitDATA=
DefaultLimitSTACK=
DefaultLimitCORE=
DefaultLimitRSS=
DefaultLimitNOFILE=
DefaultLimitAS=
DefaultLimitNPROC=
DefaultLimitMEMLOCK=
DefaultLimitLOCKS=
DefaultLimitSIGPENDING=
DefaultLimitMSGQUEUE=
DefaultLimitNICE=
DefaultLimitRTPRIO=
DefaultLimitRTTIME=

Ranger

Credentials
Parameter Description Default value

Password for admin user

Password for the Ranger administrator

 — 

Password for keyadmin user

Password for the Ranger KMS administrator

 — 

Password for rangerusersync user

Password for the user with the rights to add users and groups to Ranger Admin as part of the synchronization mechanism with LDAP/AD or UNIX

 — 

Credstore password opts

Defines whether a password is required for a credstore

password-file

dbks-site.xml
Parameter Description Default value

ranger.db.encrypt.key.password

Password of the Master Key encryption

 — 

ranger.ks.jpa.jdbc.password

Database user’s password

 — 

ranger.ks.jpa.jdbc.url

JDBC connection URL for the Ranger KMS database. Leave empty for automatic setup on the next reconfiguration

jdbc:mysql://{{ groups['mysql.master'][0] | d(omit) }}:3306/rangerkms

ranger.ks.jpa.jdbc.driver

A classname for a JDBC driver for the Ranger KMS DB

com.mysql.jdbc.Driver

ranger.ks.jdbc.sqlconnectorjar

Path to a JDBC driver JAR for the Ranger KMS DB

/usr/share/java/jdbc-mysql-connector.jar

ranger.ks.jpa.jdbc.user

Database username used for the operations

rangerkms

ranger.ks.kerberos.keytab

Ranger KMS Kerberos keytab

 — 

ranger.ks.kerberos.principal

Ranger KMS Kerberos principal

 — 

Ranger KMS install.properties
Parameter Description Default value

DB_FLAVOR

DBMS that is used to manage the Ranger KMS metadata database

MYSQL

Custom install.properties

Additional installation parameters

install.properties

ranger-admin-site.xml
Parameter Description Default value

ranger.audit.solr.urls

Used to connect Ranger Admin to Solr for audit

 — 

ranger.audit.solr.zookeepers

Used to connect Ranger Admin to Solr’s Zookeeper for audit

 — 

ranger.audit.source.type

Source for audit store. Currently, only Solr is supported

solr

ranger.authentication.method

Authentication methods (ACTIVE DIRECTORY, LDAP, NONE). These methods are used for login to Ranger Admin

NONE

ranger.jpa.jdbc.driver

A classname for a JDBC driver for the Ranger Admin DB

com.mysql.jdbc.Driver

ranger.jdbc.sqlconnectorjar

Path to a JDBC driver JAR for the Ranger Admin DB

/usr/share/java/jdbc-mysql-connector.jar

ranger.jpa.jdbc.password

Password for the Ranger Admin database

 — 

ranger.jpa.jdbc.url

JDBC connection URL for the Ranger Admin database. Leave empty for automatic setup on the next reconfiguration

jdbc:mysql://{{ groups['mysql.master'][0] | d(omit) }}:3306/ranger

ranger.jpa.jdbc.user

Username for the Ranger Admin database

rangeradmin

ranger.service.http.port

HTTP port for Ranger Admin

6080

ranger.service.https.port

HTTPS port for Ranger Admin

6182

ranger.service.shutdown.port

HTTP port used for graceful shutdown of the service

6085

ranger.solr.audit.user

Username to connect to Solr for audit

rangeraudit

ranger.solr.audit.user.password

Password for Solr user

 — 

ranger.admin.balancer.host

URL of a host with a load balancer

 — 

ranger.admin.balancer.port

Port on which a load balancer listens

 — 

ranger.admin.kerberos.token.valid.seconds

Time (in seconds) to validate the Kerberos token

 — 

Ranger Admin install.properties
Parameter Description Default value

DB_FLAVOR

DBMS that is used to manage the Ranger Admin metadata database

MYSQL

Custom install.properties

Additional installation parameters

install.properties

core-site.xml
Parameter Description Default value

hadoop.security.key.provider.path

The key provider to use when interacting with encryption keys used when reading and writing to an encryption zone

kms://http@<ranger-kms-host>:9292/kms

User managed hadoop.security.auth_to_local

Determines whether to let the user define hadoop.security.auth_to_local

false

hadoop.security.auth_to_local

Maps Kerberos principals to local user names

RULE:[1:$1@$0](.*@AD.RANGER-TEST)s/@.*//RULE:[2:$1@$0](hbase@AD.RANGER-TEST)s/.*/hbase/RULE:[2:$1@$0](hdfs-namenode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](hdfs-datanode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](rangeradmin@AD.RANGER-TEST)s/.*/ranger/RULE:[2:$1@$0](rangerkms@AD.RANGER-TEST)s/.*/keyadmin/RULE:[2:$1@$0](rangertagsync@AD.RANGER-TEST)s/.*/rangertagsync/RULE:[2:$1@$0](rangerusersync@AD.RANGER-TEST)s/.*/rangerusersync/RULE:[2:$1@$0](hive@AD.RANGER-TEST)s/.*/hive/RULE:[2:$1/$2@$0](yarn-resourcemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn-nodemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](mapreduce-historyserver/.*@AD.RANGER-TEST)s/.*/mapred/DEFAULT

ranger-kms-audit.xml
Parameter Description Default value

xasecure.audit.destination.solr.batch.filespool.dir

Sets the directory where the spool files are stored when the in-memory buffer is full

/srv/ranger/kms/audit_solr_spool

ranger-kms-security.xml
Parameter Description Default value

ranger.plugin.kms.policy.cache.dir

Directory where Ranger policies are cached after a successful retrieval from the source

/srv/ranger/kms/policycache

ranger-kms-site.xml
Parameter Description Default value

ranger.service.http.port

HTTP Port for Ranger Admin

9292

ranger.service.https.port

HTTPS Port for Ranger Admin

9393

ranger.service.shutdown.port

HTTP port that will be used for the correct shutdown of the service

7085

ranger.contextName

Ranger web context

/kms

ranger.service.host

Ranger service host

localhost

Configure SSL KMS
Parameter Description Default value

ranger.https.attrib.keystore.file

Location of the keystore file

 — 

ranger.service.https.attrib.keystore.pass

Password for the keystore file

 — 

ranger.https.attrib.truststore.file

Location of the truststore file

 — 

ranger.service.https.attrib.truststore.pass

Password for the truststore file

 — 

ranger.service.https.attrib.client.auth

Defines whether to enable clients authentication (but not require). Possible values:

  • want — enables two-way SSL (requires certificates to be present on client machines). Validates client certificates from all agents, but not the requests from web applications.

  • false — enables one-way SSL.

false

ranger.service.https.attrib.ssl.protocol

The enabled SSL protocol

TLSv1.2

Configure SSL Admin
Parameter Description Default value

ranger.https.attrib.keystore.file

Location of the keystore file

 — 

ranger.service.https.attrib.keystore.pass

Password for the keystore file

 — 

ranger.service.https.attrib.clientAuth

Defines whether to require clients to authenticate. Possible values:

  • want — enables two-way SSL (requires certificates to be present on client machines). Validates client certificates from all agents, but not the requests from web applications.

  • false — enables one-way SSL.

 — 

ranger.service.https.attrib.client.auth

Defines whether to enable clients authentication (but not require). Possible values:

  • want — enables two-way SSL (requires certificates to be present on client machines). Validates client certificates from all agents, but not the requests from web applications.

  • false — enables one-way SSL.

false

ranger.service.https.attrib.ssl.protocol

The enabled SSL protocol

TLSv1.2

Configure SSL UGSINK
Parameter Description Default value

ranger.usersync.truststore.file

Location of the truststore file

 — 

ranger.usersync.truststore.password

Password for the truststore file

 — 

ranger.usersync.keystore.file

Location of the keystore file

 — 

ranger.usersync.keystore.password

Password for the keystore file

 — 

ranger.usersync.https.ssl.enabled.protocols

The supported SSL protocols

TLSv1.2

kms-site.xml
Parameter Description Default value

hadoop.kms.authentication.kerberos.name.rules

Name resolution rules for Kerberos principals

RULE:[1:$1@$0](.*@AD.RANGER-TEST)s/@.*//RULE:[2:$1@$0](hbase@AD.RANGER-TEST)s/.*/hbase/RULE:[2:$1@$0](hdfs-namenode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](hdfs-datanode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](rangeradmin@AD.RANGER-TEST)s/.*/ranger/RULE:[2:$1@$0](rangerkms@AD.RANGER-TEST)s/.*/keyadmin/RULE:[2:$1@$0](rangertagsync@AD.RANGER-TEST)s/.*/rangertagsync/RULE:[2:$1@$0](rangerusersync@AD.RANGER-TEST)s/.*/rangerusersync/RULE:[2:$1@$0](hive@AD.RANGER-TEST)s/.*/hive/RULE:[2:$1/$2@$0](yarn-resourcemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn-nodemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](mapreduce-historyserver/.*@AD.RANGER-TEST)s/.*/mapred/DEFAULT

hadoop.kms.authentication.zk-dt-secret-manager.enable

Whether to use ZKDelegationTokenSecretManager to persist TokenIdentifiers and DelegationKeys in ZooKeeper

false

hadoop.kms.authentication.zk-dt-secret-manager.zkConnectionString

The ZooKeeper connection string, a comma-separated list of hostnames and ports

 — 

hadoop.kms.authentication.zk-dt-secret-manager.znodeWorkingPath

The ZooKeeper znode path, where the KMS instances will store and retrieve the secret from. All the KMS instances that need to coordinate should point to the same path

 — 

hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType

The ZooKeeper authentication type. Possible values: none (default) or sasl (Kerberos)

none

hadoop.kms.authentication.zk-dt-secret-manager.kerberos.keytab

The absolute path for the Kerberos keytab with the credentials to connect to ZooKeeper. This parameter is effective only when hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType is set to sasl

 — 

hadoop.kms.authentication.signer.secret.provider

Indicates how the secret to sign the authentication cookies will be stored. Possible values: random (default), string, and zookeeper. If using a setup with multiple KMS instances, zookeeper should be used

random

hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string

The ZooKeeper connection string, a comma-separated list of hostnames and ports

 — 

hadoop.kms.authentication.signer.secret.provider.zookeeper.path

The ZooKeeper znode path where the KMS instances will store and retrieve the secret from. All the KMS instances that need to coordinate should point to the same path

 — 

ranger-ugsync-site.xml
Parameter Description Default value

ranger.usersync.port

Port for Unix authentication service

5151

ranger.usersync.role.assignment.list.delimiter

Delimiter to use while syncing roles to users, groups, and roles in Ranger Admin

&amp;

ranger.usersync.sleeptimeinmillisbetweensynccycle

Sleep time (in milliseconds) interval between user sync operations

 — 

ranger.usersync.unix.minGroupId

Minimum Group ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

500

ranger.usersync.unix.minUserId

Minimum User ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

500

ranger.usersync.username.groupname.assignment.list.delimiter

Delimiter to use while syncing users and groups in Ranger Admin

,

ranger.usersync.users.groups.assignment.list.delimiter

Delimiter to use while syncing users and groups with specified roles in Ranger Admin. This delimiter separates the users and groups from respective roles

:

NOTE
The delimiters cannot contain characters that aren’t allowed in username or group name.

The ranger.usersync.role.assignment.list.delimiter parameter is used as delimiter for roles. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02&ROLE_KEY_ADMIN:g:groupname01

In this example, the roles ROLE_SYS_ADMIN and ROLE_KEY_ADMIN in Ranger Admin are separated by delimiter &.

The ranger.usersync.username.groupname.assignment.list.delimiter parameter is used as a delimiter to differentiate between two or more users and groups. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02

In this example, users username1 and username2 are separated by the , delimiter.

The ranger.usersync.users.groups.assignment.list.delimiter is used as a delimiter to differentiate between users and groups from respective roles. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02&ROLE_SYS_ADMIN:g:groupname01,groupname02

In this example, ROLE_SYS_ADMIN is a role, and u denotes the list of users followed by actual usernames, which are username01 and username02. The g is used to indicate the list of groups followed by actual group names, which are groupname01 and groupname02.

ranger-ugsync-default.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License. See accompanying LICENSE file.
-->

<!-- Put site-specific property overrides in this file. -->

<configuration>
	<property>
		<name>ranger.usersync.port</name>
                <value>5151</value>
	</property>
	<property>
		<name>ranger.usersync.ssl</name>
		<value>true</value>
	</property>
	<property>
		<name>ranger.usersync.https.ssl.enabled.protocols</name>
		<value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
	</property>
	<property>
		<name>ranger.usersync.passwordvalidator.path</name>
		<value>./native/credValidator.uexe</value>
	</property>
	<property>
		<name>ranger.usersync.enabled</name>
		<value>true</value>
	</property>
	<property>
		<name>ranger.usersync.policymanager.maxrecordsperapicall</name>
		<value>1000</value>
	</property>
	<property>
		<name>ranger.usersync.policymanager.mockrun</name>
		<value>false</value>
	</property>
	<property>
		<name>ranger.usersync.unix.minUserId</name>
		<value>500</value>
	</property>
	<property>
		<name>ranger.usersync.unix.minGroupId</name>
		<value>0</value>
	</property>
	<property>
		<name>ranger.usersync.ldap.username.caseconversion</name>
		<value>none</value>
	</property>
	<property>
		<name>ranger.usersync.ldap.groupname.caseconversion</name>
		<value>none</value>
	</property>
	<property>
		<name>ranger.usersync.logdir</name>
		<value>./log</value>
	</property>
	<property>
		<name>ranger.usersync.cookie.enabled</name>
		<value>true</value>
	</property>
</configuration>
LDAP sync source for User synchronizer
Parameter Description Default value

ranger.usersync.ldap.binddn

Full distinguished name (DN)

 — 

ranger.usersync.ldap.deltasync

LDAP delta sync flag used to periodically sync users and groups based on the updates in the server

true

ranger.usersync.ldap.groupname.caseconversion

Controls how to convert group names. Possible values: lower, upper, and none

lower

LDAP bind password

Password for the LDAP bind user

 — 

ranger.usersync.ldap.referral

Indicates how to handle LDAP referrals. Possible values are:

  • follow — use if multiple LDAP servers are configured to return continuation references for results.

  • ignore — use if no referrals should be followed.

ignore

ranger.usersync.ldap.searchBase

Search base for the users and groups

rangerkms

ranger.usersync.ldap.url

LDAP server URL

ranger

ranger.usersync.ldap.user.groupnameattribute

LDAP user group name attribute

memberof,ismemberof

ranger.usersync.ldap.user.nameattribute

LDAP user name attribute

cn

ranger.usersync.ldap.user.objectclass

LDAP User Object Class

person

ranger.usersync.ldap.user.searchbase

Search base for the users

 — 

ranger.usersync.ldap.user.searchfilter

Optional additional filter constraining the users selected for syncing

 — 

ranger.usersync.ldap.user.searchscope

Search scope for the users. Possible values are:

  • base — only the entry specified as the search base in ranger.usersync.ldap.user.searchbase should be included.

  • one — only the direct children of the entry specified as the search base in ranger.usersync.ldap.user.searchbase should be included.

  • sub — the entry specified as the search base in ranger.usersync.ldap.user.searchbase and all of its descendants at any depth should be included.

 — 

ranger.usersync.ldap.username.caseconversion

Controls how to convert usernames. Possible values: lower, upper, and none

lower

ranger.usersync.group.searchenabled

Whether Usersync should use ldapsearch to find groups instead of relying on user entry attributes

 — 

ranger.usersync.group.search.first.enabled

Whether to get users using the 'member' attribute of the group

true

ranger.usersync.group.usermapsyncenabled

Whether to do the ldapsearch to find groups instead of relying on user entry attributes and sync memberships of those groups

false

ranger.usersync.group.memberattributename

LDAP group member attribute name

member

ranger.usersync.group.nameattribute

LDAP group name attribute

cn

ranger.usersync.group.objectclass

LDAP Group object class

groupofnames

ranger.usersync.group.searchbase

Search base for the groups

 — 

ranger.usersync.group.searchfilter

Optional additional filter constraining the groups selected for syncing

 — 

ranger.usersync.group.searchscope

Search scope for the groups. Possible values are:

  • base — only the entry specified as the search base in ranger.usersync.group.searchbase should be included.

  • one — only the direct children of the entry specified as the search base in ranger.usersync.group.searchbase should be included.

  • sub — the entry specified as the search base in ranger.usersync.group.searchbase, and all of its subordinates to any depth, should be included.

 — 

The ranger.usersync.ldap.binddn parameter is used to set the DN, including the common name (CN) of an LDAP user account that has privileges to search for users. This can be a read-only LDAP user. Check the example below.

cn=admin,dc=example,dc=com

The ranger.usersync.ldap.searchBase parameter is used to set the search base for users and groups. Multiple values can be separated with ; (semicolon). Check the example below.

dc=hadoop,dc=arenadata,dc=tech

The ranger.usersync.ldap.url parameter is used to set the URL for LDAP server. Check the example below.

ldaps://localhost:8000
ldap://localhost:8080

The ranger.usersync.ldap.user.groupnameattribute parameter is the same as the username attribute. Check the example below.

memberOf in AD, memberof,ismemberof in OpenLDAP

The ranger.usersync.ldap.user.nameattribute parameter is used to set the LDAP username attribute. Check the example below.

sAMAccountName in AD, uid or cn in OpenLDAP
NOTE
sAMAccountName is a logon account name in SAM, which is needed for compatibility with pre-Windows 2000 systems. cn is a common user name that consists of the first name, middle name, and last name.

The ranger.usersync.ldap.user.searchbase parameter is used to set the PATH to search base for users. Multiple values can be configured with ; (semicolon) separated.

CAUTION
The value of ranger.usersync.ldap.user.searchbase overrides the value specified in ranger.usersync.ldap.searchBase.

Check the example below.

ou=users,dc=hadoop,dc=arenadata,dc=tech
cn=users,dc=example,dc=com;ou=example1,ou=example2

The ranger.usersync.group.searchbase is used to specify the group’s search base. Multiple values can be separated with ; (semicolon). If a value is not specified, it takes the value of ranger.usersync.ldap.searchBase. If ranger.usersync.ldap.searchBase is also not specified, it takes the value of ranger.usersync.ldap.user.searchbase.

CAUTION
The value of ranger.usersync.group.searchbase overrides the values specified in ranger.usersync.ldap.searchBase and ranger.usersync.ldap.user.searchbase.

Check the example below.

ou=groups,dc=hadoop,dc=apache,dc=org
ou=groups,DC=example,DC=com;ou=group1,ou=group2
LDAP sync source for Ranger Admin authentication
Parameter Description Default value

ranger.ldap.url

The LDAP server URL

 — 

ranger.ldap.bind.dn

The full distinguished name (DN) of an LDAP user to bind to

 — 

ranger.ldap.bind.password

The password for an LDAP user to bind to

 — 

ranger.ldap.base.dn

The distinguished name of the start for directory server searches

 — 

ranger.ldap.group.searchbase

The LDAP group search base

 — 

ranger.ldap.group.searchfilter

The LDAP group search filter

 — 

ranger.ldap.group.roleattribute

The LDAP group role attribute

 — 

ranger.ldap.user.searchfilter

The LDAP user search filter

 — 

ranger.ldap.user.dnpattern

The LDAP user DN

 — 

ranger.ldap.referral

Indicates how to handle LDAP referrals. Possible values are:

  • follow — use if multiple LDAP servers are configured to return continuation references for results.

  • ignore — use if no referrals should be followed.

  • throw —  use if all the standard entries are returned to the enumeration first before the ReferralException is thrown.

ignore

Active Directory sync source for Ranger Admin authentication
Parameter Description Default value

ranger.ldap.ad.url

The Active Directory server URL

 — 

ranger.ldap.ad.bind.dn

The full distinguished name (DN) of an AD user to bind to

 — 

ranger.ldap.ad.bind.password

The password for an LDAP user to bind to

 — 

ranger.ldap.ad.base.dn

The Distinguished Name of the start for directory server searches

 — 

ranger.ldap.ad.domain

Server domain name (or IP address) where the ranger-usersync module is running (along with the AD Authentication Service)

 — 

ranger.ldap.ad.user.searchfilter

Search filter for Bind Authentication

sAMAccountName={0}

ranger.ldap.ad.referral

Indicates how to handle AD referrals. There are three possible values:

  • follow — use if multiple AD servers are configured to return continuation references for results.

  • ignore — use if no referrals should be followed. PartialResultException is returned if any referrals are encountered during result processing.

  • throw —  use if all the standard entries are returned in the enumeration first before the ReferralException is thrown.

ignore

Other
Parameter Description Default value

Custom dbks-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the dbks-site.xml configuration file

 — 

Custom ranger-admin-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-admin-site.xml configuration file

 — 

Custom core-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the core-site.xml configuration file

 — 

Custom ranger-kms-audit.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-audit.xml configuration file

 — 

Custom ranger-kms-security.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-security.xml configuration file

 — 

Custom ranger-kms-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-site.xml configuration file

 — 

Custom kms-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the kms-site.xml configuration file

 — 

Custom ranger-kms-policymgr-ssl.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-policymgr-ssl.xml configuration file

 — 

Custom ranger-ugsync-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-ugsync-site.xml configuration file

 — 

 
Each Ranger component has its own logging settings which are described below.

Ranger Admin
Parameter Description Default value

logback.xml

A file with logging settings for Ranger Admin

logback.xml

ranger-admin-env.sh

A command that sets the RANGER_ADMIN_LOGBACK_CONF_FILE environment variable

export RANGER_ADMIN_LOGBACK_CONF_FILE="/etc/ranger/admin/conf/logback.xml"

Ranger KMS
Parameter Description Default value

logback.xml

A file with logging settings for Ranger KMS

logback.xml

Ranger User synchronizer
Parameter Description Default value

logback.xml

A file with logging settings for Ranger User synchronizer

logback.xml

Solr

solr-env.sh
Parameter Description Default value

SOLR_HOME

The location for index data and configs

/srv/solr/server

SOLR_AUTH_TYPE

Specifies the authentication type for Solr

 — 

SOLR_AUTHENTICATION_OPTS

Autogenerated Solr authentication options

 — 

SOLR_AUTHENTICATION_OPTS_CUSTOM

Custom Solr authentication options

 — 

GC_TUNE

JVM parameters for Solr

-XX:-UseLargePages

SOLR_SSL_KEY_STORE:

The path to the Solr keystore file (.jks)

 — 

SOLR_SSL_KEY_STORE_TYPE:

The type of the Solr keystore file

JKS

SOLR_SSL_KEY_STORE_PASSWORD

The password to the Solr keystore file

 — 

SOLR_SSL_TRUST_STORE

The path to the Solr truststore file (.jks)

 — 

SOLR_SSL_TRUST_STORE_TYPE

The type of the Solr truststore file

JKS

SOLR_SSL_TRUST_STORE_PASSWORD

The password to the Solr truststore file

 — 

SOLR_SSL_NEED_CLIENT_AUTH

Defines if client authentication is enabled

False

SOLR_SSL_WANT_CLIENT_AUTH

Enables clients to authenticate (but not requires)

false

SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION

Defines whether to enable hostname verification

False

SOLR_HOST

Specifies the host name of the Solr server

host_fqdn

LOG4J_PROPS

Path to a custom log4j configuration file

/etc/solr/conf/log4j2.xml,/etc/solr/conf/log4j2-console.xml

solr.xml
<solr>

  <solrcloud>
    <str name="host">${host:}</str>
    <int name="hostPort">${jetty.port:}</int>
    <str name="hostContext">${hostContext:solr}</str>
    <bool name="genericCoreNodeNames">${genericCoreNodeNames:true}</bool>
    <int name="zkClientTimeout">${zkClientTimeout:30000}</int>
    <int name="distribUpdateSoTimeout">${distribUpdateSoTimeout:600000}</int>
    <int name="distribUpdateConnTimeout">${distribUpdateConnTimeout:60000}</int>
    <str name="zkCredentialsProvider">${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider}</str>
    <str name="zkACLProvider">${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider}</str>
  </solrcloud>

  <shardHandlerFactory name="shardHandlerFactory"
    class="HttpShardHandlerFactory">
    <int name="socketTimeout">${socketTimeout:600000}</int>
    <int name="connTimeout">${connTimeout:60000}</int>
  </shardHandlerFactory>

</solr>
External zookeeper
Parameter Description Default value

ZK_HOST

Comma-separated locations of all servers in the ensemble and the ports on which they communicate. You can put ZooKeeper chroot at the end of your ZK_HOST connection string. For example, host1.mydomain.com:2181,host2.mydomain.com:2181,host3.mydomain.com:2181/solr

 — 

The external zookeeper is kerberized

Indicates whether the external ZooKeeper is kerberized

false

Solr server heap memory settings
Parameter Description Default value

Solr Server Heap Memory

Sets initial (-Xms) and maximum (-Xmx) Java heap size for Solr Server

-Xms512m -Xmx512m

Solr collections ttl settings
Parameter Description Default value

collection_name

Solr collection name

ranger_audits

ttl

Time to live

+90DAYS

auto_delete_period

Time before the collection deletes records whose life time is greater than TTL

86400

Credential encryption
Parameter Description Default value

Credstore password

Encryption provider password

 — 

Credstore options

The way to store encryption provider password. Possible values: no password or password in the environment

password in the environment

Credential provider path

Credential provider path. Required for creating and reading jceks

jceks://file/etc/solr/conf/solr.jceks

Ranger plugin credential provider path

Credential provider path for the Ranger plugin

jceks://file/etc/solr/conf/ranger-solr.jceks

Custom jceks

Indicated whether to use your own credential store instead of the default one

false

ranger-solr-audit.xml
Parameter Description Default value

xasecure.audit.solr.solr_url

A path to a Solr collection to store audit logs

 — 

xasecure.audit.solr.async.max.queue.size

The maximum size of internal queue used for storing audit logs

1

xasecure.audit.solr.async.max.flush.interval.ms

The maximum time interval between flushes to disk (in milliseconds)

100

ranger.solr.plugin.audit.excluded.users

Forbids access to Ranger audit logs for the listed users

HTTP,rangeradmin,rangerkms

ranger-solr-security.xml
Parameter Description Default value

ranger.plugin.solr.policy.rest.url

The URL to Ranger Admin

 — 

ranger.plugin.solr.service.name

The name of the Ranger service containing policies for this instance

 — 

ranger.plugin.solr.policy.cache.dir

The directory where Ranger policies are cached after successful retrieval from the source

/srv/ranger/yarn/policycache

ranger.plugin.solr.policy.pollIntervalMs

Defines how often to poll for changes in policies

30000

ranger.plugin.solr.policy.rest.client.connection.timeoutMs

The Solr Plugin RangerRestClient connection timeout (in milliseconds)

120000

ranger.plugin.solr.policy.rest.client.read.timeoutMs

The Solr Plugin RangerRestClient read timeout (in milliseconds)

30000

ranger-sorl-policymgr-ssl.xml
Parameter Description Default value

xasecure.policymgr.clientssl.keystore

The path to the keystore file used by Ranger

 — 

xasecure.policymgr.clientssl.keystore.credential.file

The path to the keystore credentials file

/usr/lib/solr/server/resources/ranger-solr.jceks

xasecure.policymgr.clientssl.truststore.credential.file

The path to the truststore credentials file

/usr/lib/solr/server/resources/ranger-solr.jceks

xasecure.policymgr.clientssl.truststore

The path to the truststore file used by Ranger

 — 

xasecure.policymgr.clientssl.keystore.password

The password to the keystore file

 — 

xasecure.policymgr.clientssl.truststore.password

The password to the truststore file

 — 

Other
Parameter Description Default value

Ranger plugin enabled

Enables the Ranger plugin

false

Custom solr-env.sh

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the solr-env.sh configuration file

 — 

 
The logging settings for Solr are part of the Solr Server component configuration, which is presented below.

log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->

<!-- Configuration for asynchronous logging -->
<Configuration>
  <Appenders>

    <Console name="STDOUT" target="SYSTEM_OUT">
      <PatternLayout>
        <Pattern>
          %maxLen{%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%notEmpty{ =>%ex{short}}}{10240}%n
        </Pattern>
      </PatternLayout>
    </Console>

    <RollingRandomAccessFile
        name="MainLogFile"
        fileName="/var/log/solr/solr.log"
        filePattern="/var/log/solr/solr.log.%i" >
      <PatternLayout>
        <Pattern>
          %maxLen{%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%notEmpty{ =>%ex{short}}}{10240}%n
        </Pattern>
      </PatternLayout>
      <Policies>
        <OnStartupTriggeringPolicy />
        <SizeBasedTriggeringPolicy size="32 MB"/>
      </Policies>
      <DefaultRolloverStrategy max="10"/>
    </RollingRandomAccessFile>

    <RollingRandomAccessFile
        name="SlowLogFile"
        fileName="/var/log/solr/solr_slow_requests.log"
        filePattern="/var/log/solr/solr_slow_requests.log.%i" >
      <PatternLayout>
        <Pattern>
          %maxLen{%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%notEmpty{ =>%ex{short}}}{10240}%n
        </Pattern>
      </PatternLayout>
      <Policies>
        <OnStartupTriggeringPolicy />
        <SizeBasedTriggeringPolicy size="32 MB"/>
      </Policies>
      <DefaultRolloverStrategy max="10"/>
    </RollingRandomAccessFile>

  </Appenders>
  <Loggers>
    <AsyncLogger name="org.apache.hadoop" level="warn"/>
    <AsyncLogger name="org.apache.solr.update.LoggingInfoStream" level="off"/>
    <AsyncLogger name="org.apache.zookeeper" level="warn"/>
    <AsyncLogger name="org.apache.solr.core.SolrCore.SlowRequest" level="info" additivity="false">
      <AppenderRef ref="SlowLogFile"/>
    </AsyncLogger>

    <AsyncRoot level="info">
      <AppenderRef ref="MainLogFile"/>
      <AppenderRef ref="STDOUT"/>
    </AsyncRoot>
  </Loggers>
</Configuration>

<!-- Configuration for synchronous logging
     there _may_ be a very small window where log messages will not be flushed
     to the log file on abnormal shutdown. If even this risk is unacceptable, use
     the configuration below
-->
<!--Configuration>
  <Appenders>

    <Console name="STDOUT" target="SYSTEM_OUT">
      <PatternLayout>
        <Pattern>
          %d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%n
        </Pattern>
      </PatternLayout>
    </Console>

    <RollingFile
        name="RollingFile"
        fileName="${sys:solr.log.dir}/solr.log"
        filePattern="${sys:solr.log.dir}/solr.log.%i" >
      <PatternLayout>
        <Pattern>
          %d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%n
        </Pattern>
      </PatternLayout>
      <Policies>
        <OnStartupTriggeringPolicy />
        <SizeBasedTriggeringPolicy size="32 MB"/>
      </Policies>
      <DefaultRolloverStrategy max="10"/>
    </RollingFile>

    <RollingFile
        name="SlowFile"
        fileName="${sys:solr.log.dir}/solr_slow_requests.log"
        filePattern="${sys:solr.log.dir}/solr_slow_requests.log.%i" >
      <PatternLayout>
        <Pattern>
          %d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%n
        </Pattern>
      </PatternLayout>
      <Policies>
        <OnStartupTriggeringPolicy />
        <SizeBasedTriggeringPolicy size="32 MB"/>
      </Policies>
      <DefaultRolloverStrategy max="10"/>
    </RollingFile>

  </Appenders>
  <Loggers>
    <Logger name="org.apache.hadoop" level="warn"/>
    <Logger name="org.apache.solr.update.LoggingInfoStream" level="off"/>
    <Logger name="org.apache.zookeeper" level="warn"/>
    <Logger name="org.apache.solr.core.SolrCore.SlowRequest" level="info" additivity="false">
      <AppenderRef ref="SlowFile"/>
    </Logger>

    <Root level="info">
      <AppenderRef ref="RollingFile"/>
      <AppenderRef ref="STDOUT"/>
    </Root>
  </Loggers>
</Configuration-->
log4j2-console.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->

<!-- Use this file for logging exlusively to the console, useful for
     some development tasks. Should not be used for production -->
<!-- Default production configuration is asnychronous logging -->
<Configuration>
  <Appenders>
    <Console name="STDERR" target="SYSTEM_ERR">
      <PatternLayout>
        <Pattern>
          %maxLen{%-5p - %d{yyyy-MM-dd HH:mm:ss.SSS}; %c; %m%notEmpty{ =>%ex{short}}}{10240}%n
        </Pattern>
      </PatternLayout>
    </Console>
  </Appenders>
  <Loggers>
    <!-- Use <AsyncLogger/<AsyncRoot and <Logger/<Root for asynchronous logging or synchonous logging respectively -->
    <AsyncLogger name="org.apache.zookeeper" level="ERROR"/>
    <AsyncLogger name="org.apache.hadoop" level="WARN"/>

    <AsyncRoot level="INFO">
      <AppenderRef ref="STDERR"/>
    </AsyncRoot>
  </Loggers>
</Configuration>
Enable custom ulimits
[Manager]
DefaultLimitCPU=
DefaultLimitFSIZE=
DefaultLimitDATA=
DefaultLimitSTACK=
DefaultLimitCORE=
DefaultLimitRSS=
DefaultLimitNOFILE=
DefaultLimitAS=
DefaultLimitNPROC=
DefaultLimitMEMLOCK=
DefaultLimitLOCKS=
DefaultLimitSIGPENDING=
DefaultLimitMSGQUEUE=
DefaultLimitNICE=
DefaultLimitRTPRIO=
DefaultLimitRTTIME=

ZooKeeper

Main
Parameter Description Default value

connect

The ZooKeeper connection string used by other services or clusters. It is generated automatically

 — 

dataDir

The location where ZooKeeper stores the in-memory database snapshots and, unless specified otherwise, the transaction log of updates to the database

/var/lib/zookeeper

zoo.cfg
Parameter Description Default value

clientPort

The port to listen for client connections, that is the port that clients attempt to connect to

2181

admin.serverPort

The port that an embedded Jetty server listens on

5181

admin.enableServer

Enables Admin server — an embedded Jetty server that provides an HTTP interface to the four-letter-word commands

False

tickTime

The basic time unit used by ZooKeeper (in milliseconds). It is used for heartbeats. The minimum session timeout will be twice the tickTime

2000

initLimit

The timeouts that ZooKeeper uses to limit the length of the time for ZooKeeper servers in quorum to connect to the leader

5

syncLimit

Defines the maximum date skew between server and the leader

2

maxClientCnxns

This property limits the number of active connections from the host, specified by IP address, to a single ZooKeeper Server

0

autopurge.snapRetainCount

When enabled, ZooKeeper auto-purge feature retains the autopurge.snapRetainCount most recent snapshots and the corresponding transaction logs in the dataDir and dataLogDir respectively and deletes the rest. The minimum value is 3

3

autopurge.purgeInterval

The time interval, for which the purge task has to be triggered (in hours). Set to a positive integer (1 and above) to enable the auto-purging

24

Add key,value

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the configuration file zoo.cfg

 — 

SSL configuration
Parameter Description Default value

sslQuorum

Enables encrypted quorum communication

False

serverCnxnFactory

Specifies ServerCnxnFactory implementation. To use TLS-based server communication, this should be set to NettyServerCnxnFactory

org.apache.zookeeper.server.NettyServerCnxnFactory

ssl.quorum.keyStore.location

Fully-qualified path to the server keystore file

 — 

ssl.quorum.keyStore.password

Password for keystore

 — 

ssl.quorum.trustStore.location

Fully-qualified path to the server truststore file

 — 

ssl.quorum.trustStore.password

Password for truststore

 — 

ssl.protocol

Protocol to be used in client TLS negotiation

TLSv1.2

ssl.quorum.protocol

Protocol to be used in quorum TLS negotiation

TLSv1.2

zookeeper-env.sh
Parameter Description Default value

ZOO_LOG_DIR

The directory to store logs

/var/log/zookeeper

ZOOPIDFILE

The directory to store the ZooKeeper process ID

/var/run/zookeeper/zookeeper_server.pid

SERVER_JVMFLAGS

Used for setting different JVM parameters connected, for example, with garbage collecting

-Xmx1024m -Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_server_jaas.conf

JAVA

A path to Java

$JAVA_HOME/bin/java

CLIENT_JVMFLAGS

Client flags for JVM

-Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_client_jaas.conf

 
The ZooKeeper logging settings are part of the ZooKeeper Server component configuration that is presented below.

logback.xml template
<!--
 Copyright 2022 The Apache Software Foundation

 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.

 Define some default values that can be overridden by system properties
-->
<configuration>
  <!-- Uncomment this if you would like to expose Logback JMX beans -->
  <!--jmxConfigurator /-->

  <property name="zookeeper.console.threshold" value="INFO" />

  <property name="zookeeper.log.dir" value="/var/log/zookeeper" />
  <property name="zookeeper.log.file" value="zookeeper.log" />
  <property name="zookeeper.log.threshold" value="INFO" />
  <property name="zookeeper.log.maxfilesize" value="256MB" />
  <property name="zookeeper.log.maxbackupindex" value="20" />

  <!--
    console
    Add "console" to root logger if you want to use this
  -->
  <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <encoder>
      <pattern>%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n</pattern>
    </encoder>
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
      <level>${zookeeper.console.threshold}</level>
    </filter>
  </appender>

  <!--
    Add ROLLINGFILE to root logger to get log file output
  -->
  <appender name="ROLLINGFILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
    <File>${zookeeper.log.dir}/${zookeeper.log.file}</File>
    <encoder>
      <pattern>%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n</pattern>
    </encoder>
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
      <level>${zookeeper.log.threshold}</level>
    </filter>
    <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
      <maxIndex>${zookeeper.log.maxbackupindex}</maxIndex>
      <FileNamePattern>${zookeeper.log.dir}/${zookeeper.log.file}.%i</FileNamePattern>
    </rollingPolicy>
    <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
      <MaxFileSize>${zookeeper.log.maxfilesize}</MaxFileSize>
    </triggeringPolicy>
  </appender>


  <logger name="org.apache.zookeeper.audit.Slf4jAuditLogger" additivity="false" level="${audit.logger}">
    <appender-ref ref="RFAAUDIT" />
  </logger>

  <root level="INFO">
    <appender-ref ref="CONSOLE" />
    <appender-ref ref="ROLLINGFILE" />
  </root>
</configuration>
Enable custom ulimits
[Manager]
DefaultLimitCPU=
DefaultLimitFSIZE=
DefaultLimitDATA=
DefaultLimitSTACK=
DefaultLimitCORE=
DefaultLimitRSS=
DefaultLimitNOFILE=
DefaultLimitAS=
DefaultLimitNPROC=
DefaultLimitMEMLOCK=
DefaultLimitLOCKS=
DefaultLimitSIGPENDING=
DefaultLimitMSGQUEUE=
DefaultLimitNICE=
DefaultLimitRTPRIO=
DefaultLimitRTTIME=
Found a mistake? Seleсt text and press Ctrl+Enter to report it