Configuration parameters
This topic describes the parameters that can be configured for ADPS services via ADCM. To read about the configuring process, refer to the relevant articles: Online installation, Offline installation.
NOTE
|
Knox
Parameter | Description | Default value |
---|---|---|
Knox gateway port |
HTTP port for Knox |
8443 |
Gateway whitelist |
A semicolon-delimited list of regular expressions that defines the allowed endpoints for Knox dispatches and redirects |
^https?:\/\/(.*|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$ |
Parameter | Description | Default value |
---|---|---|
KNOX_GATEWAY_MEM_OPTS |
A placeholder to allow customization of the gateway server’s JVM memory settings |
— |
KNOX_GATEWAY_LOG_DIR |
Indicates where the gateway server should write its own error/standard output messages to |
/var/log/knox |
Parameter | Description | Default value |
---|---|---|
gateway.truststore.password.alias |
Alias for the password to the truststore file holding the trusted client certificates. Note that an alias with the provided name should be created using the |
gateway-truststore-password |
gateway.truststore.path |
Location of the truststore for client certificates to be trusted |
— |
gateway.truststore.type |
Indicates the type of truststore at the path declared in |
JKS |
gateway.tls.keystore.password.alias |
Alias for the password to the keystore file holding the Gateway’s TLS certificate and keypair. Note that an alias with the provided name should be created using the |
gateway-identity-keystore-password |
gateway.tls.keystore.path |
The path to the keystore file where the Gateway’s TLS certificate and keypair are stored |
— |
gateway.tls.keystore.type |
The type of the keystore file where the Gateway’s TLS certificate and keypair are stored |
JKS |
gateway.tls.key.alias |
The alias for the Gateway’s TLS certificate and keypair within the default keystore or the keystore specified via |
gateway-identity |
key_passphrase |
Passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via |
— |
gateway.tls.key.passphrase.alias |
The alias for passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via |
gateway-identity-passphrase |
ssl.exclude.protocols |
Excludes a comma or pipe separated list of protocols to not accept for SSL or |
SSLv2,SSLv3,TLSv1,TLSv1.1 |
Parameter | Description | Default value |
---|---|---|
main.ldapRealm.contextFactory.url |
The URL that represents the host and port of the LDAP server. It also includes the scheme of the protocol to use. This may be either ldap or ldaps depending on whether you are communicating with the LDAP over SSL (highly recommended) |
ldap://example.com:389 |
main.ldapRealm.contextFactory.systemUsername |
Full distinguished name (DN) including common name (CN) of an AD user account that can search for users |
— |
main.ldapRealm.contextFactory.systemPassword |
Password for the account associated with |
— |
main.ldapRealm.searchBase |
The distinguished name (DN) of a starting point for directory server searches |
— |
main.ldapRealm.userObjectClass |
LDAP User Object Class |
Person |
main.ldapRealm.userSearchAttributeName |
Attribute name for simplified search filter |
sAMAccountName |
main.ldapRealm.groupSearchBase |
Search base for the groups |
— |
main.ldapRealm.groupObjectClass |
LDAP Group object class |
group |
main.ldapRealm.groupIdAttribute |
Attribute that uniquely identifies a group |
sAMAccountName |
sessionTimeout |
The session idle time in minutes |
30 |
main.ldapRealm |
Classname for Knox Shiro Realm implementation |
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm |
main.ldapContextFactory |
Classname for Knox Shiro LdapContextFactory implementation |
org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory |
main.ldapRealm.contextFactory |
Context factory in the realm |
$ldapContextFactory |
main.ldapRealm.userSearchBase |
Overrides |
— |
main.ldapRealm.memberAttribute |
Provides the group members |
member |
Parameter | Description | Default value |
---|---|---|
Master Secret |
Master Secret that is used to protect the keystore, truststores, and credential stores for the gateway instance |
— |
Ranger plugin credstore password |
Ranger plugin credential provider password |
— |
Parameter | Description | Default value |
---|---|---|
xasecure.audit.destination.solr.batch.filespool.dir |
Local disk directory for spool files |
/srv/ranger/knox/audit_solr_spool |
Parameter | Description | Default value |
---|---|---|
ranger.plugin.knox.policy.cache.dir |
Directory to store Ranger policies once they are fetched |
/srv/ranger/knox/policycache |
ranger.plugin.knox.policy.pollIntervalMs |
Interval to check for policy changes |
30000 |
ranger.plugin.knox.policy.rest.client.connection.timeoutMs |
Connection timeout in milliseconds |
120000 |
ranger.plugin.knox.policy.rest.client.read.timeoutMs |
Read timeout in milliseconds |
30000 |
ranger.plugin.knox.policy.source.impl |
Class used to retrieve policies |
org.apache.ranger.admin.client.RangerAdminJersey2RESTClient |
Parameter | Description | Default value |
---|---|---|
xasecure.policymgr.clientssl.keystore |
The location of the keystore file that was created previously |
— |
xasecure.policymgr.clientssl.keystore.credential.file |
Path to the credential file for keystore password |
/etc/knox/conf/rangerusersync.jceks |
xasecure.policymgr.clientssl.truststore.credential.file |
Path to the credential file for truststore password |
/etc/knox/conf/rangerusersync.jceks |
xasecure.policymgr.clientssl.truststore |
The location of the truststore file that was created previously |
— |
xasecure.policymgr.clientssl.keystore.password |
The password for the Ranger KMS JKS keystore file |
— |
xasecure.policymgr.clientssl.truststore.password |
The password for the Knox Server JKS truststore file |
— |
Parameter | Description | Default value |
---|---|---|
Custom gateway-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the gateway-site.xml configuration file |
— |
Custom knox-env.sh |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the knox-env.sh configuration file |
— |
Custom ranger-knox-audit.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-audit.xml configuration file |
— |
Custom ranger-knox-security.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-security.xml configuration file |
— |
Custom ranger-knox-policymgr-ssl.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-policymgr-ssl.xml configuration file |
— |
The Knox Gateway component contains the logging settings described below.
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Configuration>
<Properties>
<Property name="app.log.dir">${env:KNOX_GATEWAY_LOG_DIR}</Property>
<Property name="app.log.file">${sys:launcher.name}.log</Property>
<Property name="app.audit.file">${sys:launcher.name}-audit.log</Property>
</Properties>
<Appenders>
<RollingFile name="auditfile" fileName="${app.log.dir}/${app.audit.file}" filePattern="${app.log.dir}/${app.audit.file}.%d{yyyy-MM-dd}">
<AuditLayout />
<TimeBasedTriggeringPolicy />
</RollingFile>
<Console name="stdout" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n" />
</Console>
<RollingFile name="drfa" fileName="${app.log.dir}/${app.log.file}" filePattern="${app.log.dir}/${app.log.file}.%d{yyyy-MM-dd}">
<!-- Same as ISO8601 format but without the 'T' (log4j1 compatible) -->
<PatternLayout pattern="%d{yyyy-MM-dd' 'HH:mm:ss,SSS} %X{trace_id} %-5p %c{2} (%F:%M(%L)) - %m%n" />
<TimeBasedTriggeringPolicy />
</RollingFile>
<!-- <RollingFile name="httpclient" fileName="${app.log.dir}/${launcher.name}-http-client.log" filePattern="${app.log.dir}/${launcher.name}-http-client.log.%d{yyyy-MM-dd}">-->
<!-- <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!-- <TimeBasedTriggeringPolicy />-->
<!-- </RollingFile>-->
<!-- <RollingFile name="httpaccess" fileName="${app.log.dir}/${launcher.name}-http-access.log" filePattern="${app.log.dir}/${launcher.name}-http-access.log.%d{yyyy-MM-dd}">-->
<!-- <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!-- <TimeBasedTriggeringPolicy />-->
<!-- </RollingFile>-->
<!-- <RollingFile name="httpserver" fileName="${app.log.dir}/${launcher.name}-http-server.log" filePattern="${app.log.dir}/${launcher.name}-http-server.log.%d{yyyy-MM-dd}">-->
<!-- <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!-- <TimeBasedTriggeringPolicy />-->
<!-- </RollingFile>-->
</Appenders>
<Loggers>
<Logger name="audit" level="INFO">
<AppenderRef ref="auditfile" />
</Logger>
<Logger name="org.apache.knox.gateway" level="INFO" />
<Root level="ERROR">
<AppenderRef ref="drfa" />
</Root>
<!-- <Logger name="org.apache.knox.gateway.websockets" level="DEBUG" />-->
<!-- <Logger name="org.springframework" level="DEBUG" />-->
<!-- <Logger name="org.apache.knox.gateway.http.request.body" level="OFF" />-->
<!-- <Logger name="org.apache.knox.gateway.http" level="TRACE">-->
<!-- <AppenderRef ref="httpserver" />-->
<!-- </Logger>-->
<!-- <Logger name="org.apache.shiro" level="DEBUG" />-->
<!-- <Logger name="org.apache.knox.gateway.http.response.body" level="OFF" />-->
<!-- <Logger name="org.apache.http.client" level="DEBUG" />-->
<!-- <Logger name="org.apache.knox.gateway.http.request.headers" level="OFF" />-->
<!-- <Logger name="org.apache.http.wire" level="DEBUG">-->
<!-- <AppenderRef ref="httpclient" />-->
<!-- </Logger>-->
<!-- <Logger name="org.apache.knox.gateway.http.response.headers" level="OFF" />-->
<!-- <Logger name="net.sf.ehcache" level="DEBUG" />-->
<!-- <Logger name="org.apache.http" level="DEBUG" />-->
<!-- <Logger name="org.apache.http.headers" level="DEBUG" />-->
<!-- <Logger name="org.apache.shiro.util.ThreadContext" level="DEBUG" />-->
<!-- <Logger name="org.apache.knox.gateway" level="DEBUG" />-->
<!-- <Logger name="org.eclipse.jetty" level="DEBUG" />-->
<!-- <Logger name="org.apache.knox.gateway.access" level="TRACE">-->
<!-- <AppenderRef ref="httpaccess" />-->
<!-- </Logger>-->
</Loggers>
</Configuration>
<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<?xml version="1.0" encoding="utf-8"?>
<Configuration>
<Properties>
<Property name="app.log.dir">${env:KNOX_GATEWAY_LOG_DIR}</Property>
<Property name="app.log.file">${sys:launcher.name}.log</Property>
</Properties>
<Appenders>
<Console name="stdout" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n" />
</Console>
<RollingFile name="drfa" fileName="${app.log.dir}/${app.log.file}" filePattern="${app.log.dir}/${app.log.file}.%d{yyyy-MM-dd}">
<PatternLayout pattern="%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n" />
<TimeBasedTriggeringPolicy />
</RollingFile>
</Appenders>
<Loggers>
<Logger name="org.apache.http.impl.client" level="INFO" />
<Logger name="org.apache.http.client" level="INFO" />
<Logger name="org.apache.http.impl.conn" level="INFO" />
<Root level="ERROR">
<AppenderRef ref="drfa" />
</Root>
</Loggers>
</Configuration>
MariaDB
Parameter | Description | Default value |
---|---|---|
Password |
Database user password |
— |
The MariaDB Master Server component has the configuration parameters of its own, which are described below.
[Manager]
DefaultLimitCPU=
DefaultLimitFSIZE=
DefaultLimitDATA=
DefaultLimitSTACK=
DefaultLimitCORE=
DefaultLimitRSS=
DefaultLimitNOFILE=
DefaultLimitAS=
DefaultLimitNPROC=
DefaultLimitMEMLOCK=
DefaultLimitLOCKS=
DefaultLimitSIGPENDING=
DefaultLimitMSGQUEUE=
DefaultLimitNICE=
DefaultLimitRTPRIO=
DefaultLimitRTTIME=
Ranger
Parameter | Description | Default value |
---|---|---|
Password for admin user |
Password for the Ranger administrator |
— |
Password for keyadmin user |
Password for the Ranger KMS administrator |
— |
Password for rangerusersync user |
Password for the user with the rights to add users and groups to Ranger Admin as part of the synchronization mechanism with LDAP/AD or UNIX |
— |
Credstore password opts |
Defines whether a password is required for a credstore |
password-file |
Parameter | Description | Default value |
---|---|---|
ranger.db.encrypt.key.password |
Password of the Master Key encryption |
— |
ranger.ks.jpa.jdbc.password |
Database user’s password |
— |
ranger.ks.jpa.jdbc.url |
JDBC connection URL for the Ranger KMS database. Leave empty for automatic setup on the next reconfiguration |
jdbc:mysql://{{ groups['mysql.master'][0] | d(omit) }}:3306/rangerkms |
ranger.ks.jpa.jdbc.driver |
A classname for a JDBC driver for the Ranger KMS DB |
com.mysql.jdbc.Driver |
ranger.ks.jdbc.sqlconnectorjar |
Path to a JDBC driver JAR for the Ranger KMS DB |
/usr/share/java/jdbc-mysql-connector.jar |
ranger.ks.jpa.jdbc.user |
Database username used for the operations |
rangerkms |
ranger.ks.kerberos.keytab |
Ranger KMS Kerberos keytab |
— |
ranger.ks.kerberos.principal |
Ranger KMS Kerberos principal |
— |
Parameter | Description | Default value |
---|---|---|
DB_FLAVOR |
DBMS that is used to manage the Ranger KMS metadata database |
MYSQL |
Custom install.properties |
Additional installation parameters |
Parameter | Description | Default value |
---|---|---|
ranger.audit.solr.urls |
Used to connect Ranger Admin to Solr for audit |
— |
ranger.audit.solr.zookeepers |
Used to connect Ranger Admin to Solr’s Zookeeper for audit |
— |
ranger.audit.source.type |
Source for audit store. Currently, only Solr is supported |
solr |
ranger.authentication.method |
Authentication methods ( |
NONE |
ranger.jpa.jdbc.driver |
A classname for a JDBC driver for the Ranger Admin DB |
com.mysql.jdbc.Driver |
ranger.jdbc.sqlconnectorjar |
Path to a JDBC driver JAR for the Ranger Admin DB |
/usr/share/java/jdbc-mysql-connector.jar |
ranger.jpa.jdbc.password |
Password for the Ranger Admin database |
— |
ranger.jpa.jdbc.url |
JDBC connection URL for the Ranger Admin database. Leave empty for automatic setup on the next reconfiguration |
jdbc:mysql://{{ groups['mysql.master'][0] | d(omit) }}:3306/ranger |
ranger.jpa.jdbc.user |
Username for the Ranger Admin database |
rangeradmin |
ranger.service.http.port |
HTTP port for Ranger Admin |
6080 |
ranger.service.https.port |
HTTPS port for Ranger Admin |
6182 |
ranger.service.shutdown.port |
HTTP port used for graceful shutdown of the service |
6085 |
ranger.solr.audit.user |
Username to connect to Solr for audit |
rangeraudit |
ranger.solr.audit.user.password |
Password for Solr user |
— |
ranger.admin.balancer.host |
URL of a host with a load balancer |
— |
ranger.admin.balancer.port |
Port on which a load balancer listens |
— |
ranger.admin.kerberos.token.valid.seconds |
Time (in seconds) to validate the Kerberos token |
— |
Parameter | Description | Default value |
---|---|---|
DB_FLAVOR |
DBMS that is used to manage the Ranger Admin metadata database |
MYSQL |
Custom install.properties |
Additional installation parameters |
Parameter | Description | Default value |
---|---|---|
hadoop.security.key.provider.path |
The key provider to use when interacting with encryption keys used when reading and writing to an encryption zone |
kms://http@<ranger-kms-host>:9292/kms |
User managed hadoop.security.auth_to_local |
Determines whether to let the user define |
false |
hadoop.security.auth_to_local |
Maps Kerberos principals to local user names |
RULE:[1:$1@$0](.*@AD.RANGER-TEST)s/@.*//RULE:[2:$1@$0](hbase@AD.RANGER-TEST)s/.*/hbase/RULE:[2:$1@$0](hdfs-namenode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](hdfs-datanode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](rangeradmin@AD.RANGER-TEST)s/.*/ranger/RULE:[2:$1@$0](rangerkms@AD.RANGER-TEST)s/.*/keyadmin/RULE:[2:$1@$0](rangertagsync@AD.RANGER-TEST)s/.*/rangertagsync/RULE:[2:$1@$0](rangerusersync@AD.RANGER-TEST)s/.*/rangerusersync/RULE:[2:$1@$0](hive@AD.RANGER-TEST)s/.*/hive/RULE:[2:$1/$2@$0](yarn-resourcemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn-nodemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](mapreduce-historyserver/.*@AD.RANGER-TEST)s/.*/mapred/DEFAULT |
Parameter | Description | Default value |
---|---|---|
xasecure.audit.destination.solr.batch.filespool.dir |
Sets the directory where the spool files are stored when the in-memory buffer is full |
/srv/ranger/kms/audit_solr_spool |
Parameter | Description | Default value |
---|---|---|
ranger.plugin.kms.policy.cache.dir |
Directory where Ranger policies are cached after a successful retrieval from the source |
/srv/ranger/kms/policycache |
Parameter | Description | Default value |
---|---|---|
ranger.service.http.port |
HTTP Port for Ranger Admin |
9292 |
ranger.service.https.port |
HTTPS Port for Ranger Admin |
9393 |
ranger.service.shutdown.port |
HTTP port that will be used for the correct shutdown of the service |
7085 |
ranger.contextName |
Ranger web context |
/kms |
ranger.service.host |
Ranger service host |
localhost |
Parameter | Description | Default value |
---|---|---|
ranger.https.attrib.keystore.file |
Location of the keystore file |
— |
ranger.service.https.attrib.keystore.pass |
Password for the keystore file |
— |
ranger.https.attrib.truststore.file |
Location of the truststore file |
— |
ranger.service.https.attrib.truststore.pass |
Password for the truststore file |
— |
ranger.service.https.attrib.client.auth |
Defines whether to enable clients authentication (but not require). Possible values:
|
false |
ranger.service.https.attrib.ssl.protocol |
The enabled SSL protocol |
TLSv1.2 |
Parameter | Description | Default value |
---|---|---|
ranger.https.attrib.keystore.file |
Location of the keystore file |
— |
ranger.service.https.attrib.keystore.pass |
Password for the keystore file |
— |
ranger.service.https.attrib.clientAuth |
Defines whether to require clients to authenticate. Possible values:
|
— |
ranger.service.https.attrib.client.auth |
Defines whether to enable clients authentication (but not require). Possible values:
|
false |
ranger.service.https.attrib.ssl.protocol |
The enabled SSL protocol |
TLSv1.2 |
Parameter | Description | Default value |
---|---|---|
ranger.usersync.truststore.file |
Location of the truststore file |
— |
ranger.usersync.truststore.password |
Password for the truststore file |
— |
ranger.usersync.keystore.file |
Location of the keystore file |
— |
ranger.usersync.keystore.password |
Password for the keystore file |
— |
ranger.usersync.https.ssl.enabled.protocols |
The supported SSL protocols |
TLSv1.2 |
Parameter | Description | Default value |
---|---|---|
hadoop.kms.authentication.kerberos.name.rules |
Name resolution rules for Kerberos principals |
RULE:[1:$1@$0](.*@AD.RANGER-TEST)s/@.*//RULE:[2:$1@$0](hbase@AD.RANGER-TEST)s/.*/hbase/RULE:[2:$1@$0](hdfs-namenode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](hdfs-datanode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](rangeradmin@AD.RANGER-TEST)s/.*/ranger/RULE:[2:$1@$0](rangerkms@AD.RANGER-TEST)s/.*/keyadmin/RULE:[2:$1@$0](rangertagsync@AD.RANGER-TEST)s/.*/rangertagsync/RULE:[2:$1@$0](rangerusersync@AD.RANGER-TEST)s/.*/rangerusersync/RULE:[2:$1@$0](hive@AD.RANGER-TEST)s/.*/hive/RULE:[2:$1/$2@$0](yarn-resourcemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn-nodemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](mapreduce-historyserver/.*@AD.RANGER-TEST)s/.*/mapred/DEFAULT |
hadoop.kms.authentication.zk-dt-secret-manager.enable |
Whether to use ZKDelegationTokenSecretManager to persist TokenIdentifiers and DelegationKeys in ZooKeeper |
false |
hadoop.kms.authentication.zk-dt-secret-manager.zkConnectionString |
The ZooKeeper connection string, a comma-separated list of hostnames and ports |
— |
hadoop.kms.authentication.zk-dt-secret-manager.znodeWorkingPath |
The ZooKeeper znode path, where the KMS instances will store and retrieve the secret from. All the KMS instances that need to coordinate should point to the same path |
— |
hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType |
The ZooKeeper authentication type. Possible values: |
none |
hadoop.kms.authentication.zk-dt-secret-manager.kerberos.keytab |
The absolute path for the Kerberos keytab with the credentials to connect to ZooKeeper. This parameter is effective only when |
— |
hadoop.kms.authentication.signer.secret.provider |
Indicates how the secret to sign the authentication cookies will be stored. Possible values: |
random |
hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string |
The ZooKeeper connection string, a comma-separated list of hostnames and ports |
— |
hadoop.kms.authentication.signer.secret.provider.zookeeper.path |
The ZooKeeper znode path where the KMS instances will store and retrieve the secret from. All the KMS instances that need to coordinate should point to the same path |
— |
Parameter | Description | Default value |
---|---|---|
ranger.usersync.port |
Port for Unix authentication service |
5151 |
ranger.usersync.role.assignment.list.delimiter |
Delimiter to use while syncing roles to users, groups, and roles in Ranger Admin |
& |
ranger.usersync.sleeptimeinmillisbetweensynccycle |
Sleep time (in milliseconds) interval between user sync operations |
— |
ranger.usersync.unix.minGroupId |
Minimum Group ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin |
500 |
ranger.usersync.unix.minUserId |
Minimum User ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin |
500 |
ranger.usersync.username.groupname.assignment.list.delimiter |
Delimiter to use while syncing users and groups in Ranger Admin |
, |
ranger.usersync.users.groups.assignment.list.delimiter |
Delimiter to use while syncing users and groups with specified roles in Ranger Admin. This delimiter separates the users and groups from respective roles |
: |
NOTE
The delimiters cannot contain characters that aren’t allowed in username or group name.
|
The ranger.usersync.role.assignment.list.delimiter
parameter is used as delimiter for roles.
Check the example below.
ROLE_SYS_ADMIN:u:username01,username02&ROLE_KEY_ADMIN:g:groupname01
In this example, the roles ROLE_SYS_ADMIN
and ROLE_KEY_ADMIN
in Ranger Admin are separated by delimiter &
.
The ranger.usersync.username.groupname.assignment.list.delimiter
parameter is used as a delimiter to differentiate between two or more users and groups.
Check the example below.
ROLE_SYS_ADMIN:u:username01,username02
In this example, users username1
and username2
are separated by the ,
delimiter.
The ranger.usersync.users.groups.assignment.list.delimiter
is used as a delimiter to differentiate between users and groups from respective roles.
Check the example below.
ROLE_SYS_ADMIN:u:username01,username02&ROLE_SYS_ADMIN:g:groupname01,groupname02
In this example, ROLE_SYS_ADMIN
is a role, and u
denotes the list of users followed by actual usernames, which are username01
and username02
.
The g
is used to indicate the list of groups followed by actual group names, which are groupname01
and groupname02
.
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<!-- Put site-specific property overrides in this file. -->
<configuration>
<property>
<name>ranger.usersync.port</name>
<value>5151</value>
</property>
<property>
<name>ranger.usersync.ssl</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.https.ssl.enabled.protocols</name>
<value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
</property>
<property>
<name>ranger.usersync.passwordvalidator.path</name>
<value>./native/credValidator.uexe</value>
</property>
<property>
<name>ranger.usersync.enabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.policymanager.maxrecordsperapicall</name>
<value>1000</value>
</property>
<property>
<name>ranger.usersync.policymanager.mockrun</name>
<value>false</value>
</property>
<property>
<name>ranger.usersync.unix.minUserId</name>
<value>500</value>
</property>
<property>
<name>ranger.usersync.unix.minGroupId</name>
<value>0</value>
</property>
<property>
<name>ranger.usersync.ldap.username.caseconversion</name>
<value>none</value>
</property>
<property>
<name>ranger.usersync.ldap.groupname.caseconversion</name>
<value>none</value>
</property>
<property>
<name>ranger.usersync.logdir</name>
<value>./log</value>
</property>
<property>
<name>ranger.usersync.cookie.enabled</name>
<value>true</value>
</property>
</configuration>
Parameter | Description | Default value |
---|---|---|
ranger.usersync.ldap.binddn |
Full distinguished name (DN) |
— |
ranger.usersync.ldap.deltasync |
LDAP delta sync flag used to periodically sync users and groups based on the updates in the server |
true |
ranger.usersync.ldap.groupname.caseconversion |
Controls how to convert group names. Possible values: |
lower |
LDAP bind password |
Password for the LDAP bind user |
— |
ranger.usersync.ldap.referral |
Indicates how to handle LDAP referrals. Possible values are:
|
ignore |
ranger.usersync.ldap.searchBase |
Search base for the users and groups |
rangerkms |
ranger.usersync.ldap.url |
LDAP server URL |
ranger |
ranger.usersync.ldap.user.groupnameattribute |
LDAP user group name attribute |
memberof,ismemberof |
ranger.usersync.ldap.user.nameattribute |
LDAP user name attribute |
cn |
ranger.usersync.ldap.user.objectclass |
LDAP User Object Class |
person |
ranger.usersync.ldap.user.searchbase |
Search base for the users |
— |
ranger.usersync.ldap.user.searchfilter |
Optional additional filter constraining the users selected for syncing |
— |
ranger.usersync.ldap.user.searchscope |
Search scope for the users. Possible values are:
|
— |
ranger.usersync.ldap.username.caseconversion |
Controls how to convert usernames. Possible values: |
lower |
ranger.usersync.group.searchenabled |
Whether Usersync should use ldapsearch to find groups instead of relying on user entry attributes |
— |
ranger.usersync.group.search.first.enabled |
Whether to get users using the 'member' attribute of the group |
true |
ranger.usersync.group.usermapsyncenabled |
Whether to do the ldapsearch to find groups instead of relying on user entry attributes and sync memberships of those groups |
false |
ranger.usersync.group.memberattributename |
LDAP group member attribute name |
member |
ranger.usersync.group.nameattribute |
LDAP group name attribute |
cn |
ranger.usersync.group.objectclass |
LDAP Group object class |
groupofnames |
ranger.usersync.group.searchbase |
Search base for the groups |
— |
ranger.usersync.group.searchfilter |
Optional additional filter constraining the groups selected for syncing |
— |
ranger.usersync.group.searchscope |
Search scope for the groups. Possible values are:
|
— |
The ranger.usersync.ldap.binddn
parameter is used to set the DN, including the common name (CN) of an LDAP user account that has privileges to search for users.
This can be a read-only LDAP user.
Check the example below.
cn=admin,dc=example,dc=com
The ranger.usersync.ldap.searchBase
parameter is used to set the search base for users and groups.
Multiple values can be separated with ;
(semicolon).
Check the example below.
dc=hadoop,dc=arenadata,dc=tech
The ranger.usersync.ldap.url
parameter is used to set the URL for LDAP server.
Check the example below.
ldaps://localhost:8000 ldap://localhost:8080
The ranger.usersync.ldap.user.groupnameattribute
parameter is the same as the username attribute.
Check the example below.
memberOf in AD, memberof,ismemberof in OpenLDAP
The ranger.usersync.ldap.user.nameattribute
parameter is used to set the LDAP username attribute.
Check the example below.
sAMAccountName in AD, uid or cn in OpenLDAP
NOTE
sAMAccountName is a logon account name in SAM, which is needed for compatibility with pre-Windows 2000 systems. cn is a common user name that consists of the first name, middle name, and last name.
|
The ranger.usersync.ldap.user.searchbase
parameter is used to set the PATH to search base for users.
Multiple values can be configured with ;
(semicolon) separated.
CAUTION
The value of ranger.usersync.ldap.user.searchbase overrides the value specified in ranger.usersync.ldap.searchBase .
|
Check the example below.
ou=users,dc=hadoop,dc=arenadata,dc=tech cn=users,dc=example,dc=com;ou=example1,ou=example2
The ranger.usersync.group.searchbase
is used to specify the group’s search base.
Multiple values can be separated with ;
(semicolon).
If a value is not specified, it takes the value of ranger.usersync.ldap.searchBase
.
If ranger.usersync.ldap.searchBase
is also not specified, it takes the value of ranger.usersync.ldap.user.searchbase
.
CAUTION
The value of ranger.usersync.group.searchbase overrides the values specified in ranger.usersync.ldap.searchBase and ranger.usersync.ldap.user.searchbase .
|
Check the example below.
ou=groups,dc=hadoop,dc=apache,dc=org ou=groups,DC=example,DC=com;ou=group1,ou=group2
Parameter | Description | Default value |
---|---|---|
ranger.ldap.url |
The LDAP server URL |
— |
ranger.ldap.bind.dn |
The full distinguished name (DN) of an LDAP user to bind to |
— |
ranger.ldap.bind.password |
The password for an LDAP user to bind to |
— |
ranger.ldap.base.dn |
The distinguished name of the start for directory server searches |
— |
ranger.ldap.group.searchbase |
The LDAP group search base |
— |
ranger.ldap.group.searchfilter |
The LDAP group search filter |
— |
ranger.ldap.group.roleattribute |
The LDAP group role attribute |
— |
ranger.ldap.user.searchfilter |
The LDAP user search filter |
— |
ranger.ldap.user.dnpattern |
The LDAP user DN |
— |
ranger.ldap.referral |
Indicates how to handle LDAP referrals. Possible values are:
|
ignore |
Parameter | Description | Default value |
---|---|---|
ranger.ldap.ad.url |
The Active Directory server URL |
— |
ranger.ldap.ad.bind.dn |
The full distinguished name (DN) of an AD user to bind to |
— |
ranger.ldap.ad.bind.password |
The password for an LDAP user to bind to |
— |
ranger.ldap.ad.base.dn |
The Distinguished Name of the start for directory server searches |
— |
ranger.ldap.ad.domain |
Server domain name (or IP address) where the ranger-usersync module is running (along with the AD Authentication Service) |
— |
ranger.ldap.ad.user.searchfilter |
Search filter for Bind Authentication |
sAMAccountName={0} |
ranger.ldap.ad.referral |
Indicates how to handle AD referrals. There are three possible values:
|
ignore |
Parameter | Description | Default value |
---|---|---|
Custom dbks-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the dbks-site.xml configuration file |
— |
Custom ranger-admin-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-admin-site.xml configuration file |
— |
Custom core-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the core-site.xml configuration file |
— |
Custom ranger-kms-audit.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-audit.xml configuration file |
— |
Custom ranger-kms-security.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-security.xml configuration file |
— |
Custom ranger-kms-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-site.xml configuration file |
— |
Custom kms-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the kms-site.xml configuration file |
— |
Custom ranger-kms-policymgr-ssl.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-policymgr-ssl.xml configuration file |
— |
Custom ranger-ugsync-site.xml |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-ugsync-site.xml configuration file |
— |
Each Ranger component has its own logging settings which are described below.
Parameter | Description | Default value |
---|---|---|
logback.xml |
A file with logging settings for Ranger Admin |
|
ranger-admin-env.sh |
A command that sets the |
export RANGER_ADMIN_LOGBACK_CONF_FILE="/etc/ranger/admin/conf/logback.xml" |
Parameter | Description | Default value |
---|---|---|
logback.xml |
A file with logging settings for Ranger KMS |
Parameter | Description | Default value |
---|---|---|
logback.xml |
A file with logging settings for Ranger User synchronizer |
Solr
Parameter | Description | Default value |
---|---|---|
SOLR_HOME |
The location for index data and configs |
/srv/solr/server |
SOLR_AUTH_TYPE |
Specifies the authentication type for Solr |
— |
SOLR_AUTHENTICATION_OPTS |
Autogenerated Solr authentication options |
— |
SOLR_AUTHENTICATION_OPTS_CUSTOM |
Custom Solr authentication options |
— |
GC_TUNE |
JVM parameters for Solr |
-XX:-UseLargePages |
SOLR_SSL_KEY_STORE: |
The path to the Solr keystore file (.jks) |
— |
SOLR_SSL_KEY_STORE_TYPE: |
The type of the Solr keystore file |
JKS |
SOLR_SSL_KEY_STORE_PASSWORD |
The password to the Solr keystore file |
— |
SOLR_SSL_TRUST_STORE |
The path to the Solr truststore file (.jks) |
— |
SOLR_SSL_TRUST_STORE_TYPE |
The type of the Solr truststore file |
JKS |
SOLR_SSL_TRUST_STORE_PASSWORD |
The password to the Solr truststore file |
— |
SOLR_SSL_NEED_CLIENT_AUTH |
Defines if client authentication is enabled |
False |
SOLR_SSL_WANT_CLIENT_AUTH |
Enables clients to authenticate (but not requires) |
false |
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION |
Defines whether to enable hostname verification |
False |
SOLR_HOST |
Specifies the host name of the Solr server |
host_fqdn |
LOG4J_PROPS |
Path to a custom log4j configuration file |
/etc/solr/conf/log4j2.xml,/etc/solr/conf/log4j2-console.xml |
<solr>
<solrcloud>
<str name="host">${host:}</str>
<int name="hostPort">${jetty.port:}</int>
<str name="hostContext">${hostContext:solr}</str>
<bool name="genericCoreNodeNames">${genericCoreNodeNames:true}</bool>
<int name="zkClientTimeout">${zkClientTimeout:30000}</int>
<int name="distribUpdateSoTimeout">${distribUpdateSoTimeout:600000}</int>
<int name="distribUpdateConnTimeout">${distribUpdateConnTimeout:60000}</int>
<str name="zkCredentialsProvider">${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider}</str>
<str name="zkACLProvider">${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider}</str>
</solrcloud>
<shardHandlerFactory name="shardHandlerFactory"
class="HttpShardHandlerFactory">
<int name="socketTimeout">${socketTimeout:600000}</int>
<int name="connTimeout">${connTimeout:60000}</int>
</shardHandlerFactory>
</solr>
Parameter | Description | Default value |
---|---|---|
ZK_HOST |
Comma-separated locations of all servers in the ensemble and the ports on which they communicate.
You can put ZooKeeper chroot at the end of your |
— |
The external zookeeper is kerberized |
Indicates whether the external ZooKeeper is kerberized |
false |
Parameter | Description | Default value |
---|---|---|
Solr Server Heap Memory |
Sets initial (-Xms) and maximum (-Xmx) Java heap size for Solr Server |
-Xms512m -Xmx512m |
Parameter | Description | Default value |
---|---|---|
collection_name |
Solr collection name |
ranger_audits |
ttl |
Time to live |
+90DAYS |
auto_delete_period |
Time before the collection deletes records whose life time is greater than TTL |
86400 |
Parameter | Description | Default value |
---|---|---|
Credstore password |
Encryption provider password |
— |
Credstore options |
The way to store encryption provider password. Possible values: |
password in the environment |
Credential provider path |
Credential provider path. Required for creating and reading jceks |
jceks://file/etc/solr/conf/solr.jceks |
Ranger plugin credential provider path |
Credential provider path for the Ranger plugin |
jceks://file/etc/solr/conf/ranger-solr.jceks |
Custom jceks |
Indicated whether to use your own credential store instead of the default one |
false |
Parameter | Description | Default value |
---|---|---|
xasecure.audit.solr.solr_url |
A path to a Solr collection to store audit logs |
— |
xasecure.audit.solr.async.max.queue.size |
The maximum size of internal queue used for storing audit logs |
1 |
xasecure.audit.solr.async.max.flush.interval.ms |
The maximum time interval between flushes to disk (in milliseconds) |
100 |
ranger.solr.plugin.audit.excluded.users |
Forbids access to Ranger audit logs for the listed users |
HTTP,rangeradmin,rangerkms |
Parameter | Description | Default value |
---|---|---|
ranger.plugin.solr.policy.rest.url |
The URL to Ranger Admin |
— |
ranger.plugin.solr.service.name |
The name of the Ranger service containing policies for this instance |
— |
ranger.plugin.solr.policy.cache.dir |
The directory where Ranger policies are cached after successful retrieval from the source |
/srv/ranger/yarn/policycache |
ranger.plugin.solr.policy.pollIntervalMs |
Defines how often to poll for changes in policies |
30000 |
ranger.plugin.solr.policy.rest.client.connection.timeoutMs |
The Solr Plugin RangerRestClient connection timeout (in milliseconds) |
120000 |
ranger.plugin.solr.policy.rest.client.read.timeoutMs |
The Solr Plugin RangerRestClient read timeout (in milliseconds) |
30000 |
Parameter | Description | Default value |
---|---|---|
xasecure.policymgr.clientssl.keystore |
The path to the keystore file used by Ranger |
— |
xasecure.policymgr.clientssl.keystore.credential.file |
The path to the keystore credentials file |
/usr/lib/solr/server/resources/ranger-solr.jceks |
xasecure.policymgr.clientssl.truststore.credential.file |
The path to the truststore credentials file |
/usr/lib/solr/server/resources/ranger-solr.jceks |
xasecure.policymgr.clientssl.truststore |
The path to the truststore file used by Ranger |
— |
xasecure.policymgr.clientssl.keystore.password |
The password to the keystore file |
— |
xasecure.policymgr.clientssl.truststore.password |
The password to the truststore file |
— |
Parameter | Description | Default value |
---|---|---|
Ranger plugin enabled |
Enables the Ranger plugin |
false |
Custom solr-env.sh |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the solr-env.sh configuration file |
— |
The logging settings for Solr are part of the Solr Server component configuration, which is presented below.
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Configuration for asynchronous logging -->
<Configuration>
<Appenders>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout>
<Pattern>
%maxLen{%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%notEmpty{ =>%ex{short}}}{10240}%n
</Pattern>
</PatternLayout>
</Console>
<RollingRandomAccessFile
name="MainLogFile"
fileName="/var/log/solr/solr.log"
filePattern="/var/log/solr/solr.log.%i" >
<PatternLayout>
<Pattern>
%maxLen{%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%notEmpty{ =>%ex{short}}}{10240}%n
</Pattern>
</PatternLayout>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="32 MB"/>
</Policies>
<DefaultRolloverStrategy max="10"/>
</RollingRandomAccessFile>
<RollingRandomAccessFile
name="SlowLogFile"
fileName="/var/log/solr/solr_slow_requests.log"
filePattern="/var/log/solr/solr_slow_requests.log.%i" >
<PatternLayout>
<Pattern>
%maxLen{%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%notEmpty{ =>%ex{short}}}{10240}%n
</Pattern>
</PatternLayout>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="32 MB"/>
</Policies>
<DefaultRolloverStrategy max="10"/>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<AsyncLogger name="org.apache.hadoop" level="warn"/>
<AsyncLogger name="org.apache.solr.update.LoggingInfoStream" level="off"/>
<AsyncLogger name="org.apache.zookeeper" level="warn"/>
<AsyncLogger name="org.apache.solr.core.SolrCore.SlowRequest" level="info" additivity="false">
<AppenderRef ref="SlowLogFile"/>
</AsyncLogger>
<AsyncRoot level="info">
<AppenderRef ref="MainLogFile"/>
<AppenderRef ref="STDOUT"/>
</AsyncRoot>
</Loggers>
</Configuration>
<!-- Configuration for synchronous logging
there _may_ be a very small window where log messages will not be flushed
to the log file on abnormal shutdown. If even this risk is unacceptable, use
the configuration below
-->
<!--Configuration>
<Appenders>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout>
<Pattern>
%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%n
</Pattern>
</PatternLayout>
</Console>
<RollingFile
name="RollingFile"
fileName="${sys:solr.log.dir}/solr.log"
filePattern="${sys:solr.log.dir}/solr.log.%i" >
<PatternLayout>
<Pattern>
%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%n
</Pattern>
</PatternLayout>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="32 MB"/>
</Policies>
<DefaultRolloverStrategy max="10"/>
</RollingFile>
<RollingFile
name="SlowFile"
fileName="${sys:solr.log.dir}/solr_slow_requests.log"
filePattern="${sys:solr.log.dir}/solr_slow_requests.log.%i" >
<PatternLayout>
<Pattern>
%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p (%t) [%X{collection} %X{shard} %X{replica} %X{core}] %c{1.} %m%n
</Pattern>
</PatternLayout>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="32 MB"/>
</Policies>
<DefaultRolloverStrategy max="10"/>
</RollingFile>
</Appenders>
<Loggers>
<Logger name="org.apache.hadoop" level="warn"/>
<Logger name="org.apache.solr.update.LoggingInfoStream" level="off"/>
<Logger name="org.apache.zookeeper" level="warn"/>
<Logger name="org.apache.solr.core.SolrCore.SlowRequest" level="info" additivity="false">
<AppenderRef ref="SlowFile"/>
</Logger>
<Root level="info">
<AppenderRef ref="RollingFile"/>
<AppenderRef ref="STDOUT"/>
</Root>
</Loggers>
</Configuration-->
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Use this file for logging exlusively to the console, useful for
some development tasks. Should not be used for production -->
<!-- Default production configuration is asnychronous logging -->
<Configuration>
<Appenders>
<Console name="STDERR" target="SYSTEM_ERR">
<PatternLayout>
<Pattern>
%maxLen{%-5p - %d{yyyy-MM-dd HH:mm:ss.SSS}; %c; %m%notEmpty{ =>%ex{short}}}{10240}%n
</Pattern>
</PatternLayout>
</Console>
</Appenders>
<Loggers>
<!-- Use <AsyncLogger/<AsyncRoot and <Logger/<Root for asynchronous logging or synchonous logging respectively -->
<AsyncLogger name="org.apache.zookeeper" level="ERROR"/>
<AsyncLogger name="org.apache.hadoop" level="WARN"/>
<AsyncRoot level="INFO">
<AppenderRef ref="STDERR"/>
</AsyncRoot>
</Loggers>
</Configuration>
[Manager]
DefaultLimitCPU=
DefaultLimitFSIZE=
DefaultLimitDATA=
DefaultLimitSTACK=
DefaultLimitCORE=
DefaultLimitRSS=
DefaultLimitNOFILE=
DefaultLimitAS=
DefaultLimitNPROC=
DefaultLimitMEMLOCK=
DefaultLimitLOCKS=
DefaultLimitSIGPENDING=
DefaultLimitMSGQUEUE=
DefaultLimitNICE=
DefaultLimitRTPRIO=
DefaultLimitRTTIME=
ZooKeeper
Parameter | Description | Default value |
---|---|---|
connect |
The ZooKeeper connection string used by other services or clusters. It is generated automatically |
— |
dataDir |
The location where ZooKeeper stores the in-memory database snapshots and, unless specified otherwise, the transaction log of updates to the database |
/var/lib/zookeeper |
Parameter | Description | Default value |
---|---|---|
clientPort |
The port to listen for client connections, that is the port that clients attempt to connect to |
2181 |
admin.serverPort |
The port that an embedded Jetty server listens on |
5181 |
admin.enableServer |
Enables Admin server — an embedded Jetty server that provides an HTTP interface to the four-letter-word commands |
False |
tickTime |
The basic time unit used by ZooKeeper (in milliseconds).
It is used for heartbeats.
The minimum session timeout will be twice the |
2000 |
initLimit |
The timeouts that ZooKeeper uses to limit the length of the time for ZooKeeper servers in quorum to connect to the leader |
5 |
syncLimit |
Defines the maximum date skew between server and the leader |
2 |
maxClientCnxns |
This property limits the number of active connections from the host, specified by IP address, to a single ZooKeeper Server |
0 |
autopurge.snapRetainCount |
When enabled, ZooKeeper auto-purge feature retains the |
3 |
autopurge.purgeInterval |
The time interval, for which the purge task has to be triggered (in hours).
Set to a positive integer ( |
24 |
Add key,value |
In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the configuration file zoo.cfg |
— |
Parameter | Description | Default value |
---|---|---|
sslQuorum |
Enables encrypted quorum communication |
False |
serverCnxnFactory |
Specifies ServerCnxnFactory implementation. To use TLS-based server communication, this should be set to NettyServerCnxnFactory |
org.apache.zookeeper.server.NettyServerCnxnFactory |
ssl.quorum.keyStore.location |
Fully-qualified path to the server keystore file |
— |
ssl.quorum.keyStore.password |
Password for keystore |
— |
ssl.quorum.trustStore.location |
Fully-qualified path to the server truststore file |
— |
ssl.quorum.trustStore.password |
Password for truststore |
— |
ssl.protocol |
Protocol to be used in client TLS negotiation |
TLSv1.2 |
ssl.quorum.protocol |
Protocol to be used in quorum TLS negotiation |
TLSv1.2 |
Parameter | Description | Default value |
---|---|---|
ZOO_LOG_DIR |
The directory to store logs |
/var/log/zookeeper |
ZOOPIDFILE |
The directory to store the ZooKeeper process ID |
/var/run/zookeeper/zookeeper_server.pid |
SERVER_JVMFLAGS |
Used for setting different JVM parameters connected, for example, with garbage collecting |
-Xmx1024m -Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_server_jaas.conf |
JAVA |
A path to Java |
$JAVA_HOME/bin/java |
CLIENT_JVMFLAGS |
Client flags for JVM |
-Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_client_jaas.conf |
The ZooKeeper logging settings are part of the ZooKeeper Server component configuration that is presented below.
<!--
Copyright 2022 The Apache Software Foundation
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Define some default values that can be overridden by system properties
-->
<configuration>
<!-- Uncomment this if you would like to expose Logback JMX beans -->
<!--jmxConfigurator /-->
<property name="zookeeper.console.threshold" value="INFO" />
<property name="zookeeper.log.dir" value="/var/log/zookeeper" />
<property name="zookeeper.log.file" value="zookeeper.log" />
<property name="zookeeper.log.threshold" value="INFO" />
<property name="zookeeper.log.maxfilesize" value="256MB" />
<property name="zookeeper.log.maxbackupindex" value="20" />
<!--
console
Add "console" to root logger if you want to use this
-->
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n</pattern>
</encoder>
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>${zookeeper.console.threshold}</level>
</filter>
</appender>
<!--
Add ROLLINGFILE to root logger to get log file output
-->
<appender name="ROLLINGFILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${zookeeper.log.dir}/${zookeeper.log.file}</File>
<encoder>
<pattern>%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n</pattern>
</encoder>
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>${zookeeper.log.threshold}</level>
</filter>
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
<maxIndex>${zookeeper.log.maxbackupindex}</maxIndex>
<FileNamePattern>${zookeeper.log.dir}/${zookeeper.log.file}.%i</FileNamePattern>
</rollingPolicy>
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
<MaxFileSize>${zookeeper.log.maxfilesize}</MaxFileSize>
</triggeringPolicy>
</appender>
<logger name="org.apache.zookeeper.audit.Slf4jAuditLogger" additivity="false" level="${audit.logger}">
<appender-ref ref="RFAAUDIT" />
</logger>
<root level="INFO">
<appender-ref ref="CONSOLE" />
<appender-ref ref="ROLLINGFILE" />
</root>
</configuration>
[Manager]
DefaultLimitCPU=
DefaultLimitFSIZE=
DefaultLimitDATA=
DefaultLimitSTACK=
DefaultLimitCORE=
DefaultLimitRSS=
DefaultLimitNOFILE=
DefaultLimitAS=
DefaultLimitNPROC=
DefaultLimitMEMLOCK=
DefaultLimitLOCKS=
DefaultLimitSIGPENDING=
DefaultLimitMSGQUEUE=
DefaultLimitNICE=
DefaultLimitRTPRIO=
DefaultLimitRTTIME=