Core Configuration Properties in Cloudera Runtime 7.2.16

Role groups:

Gateway

Advanced

Deploy Directory

Description
The directory where the client configs will be deployed
Related Name
Default Value
/etc/hadoop
API Name
client_config_root_dir
Required
true

Core Configuration Client Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh

Description
For advanced use only, key-value pairs (one on each line) to be inserted into the client configuration for hadoop-env.sh
Related Name
Default Value
API Name
core_client_env_safety_valve
Required
false

Client Java Configuration Options

Description
These are Java command-line arguments. Commonly, garbage collection flags, PermGen, or extra debugging flags would be passed here.
Related Name
Default Value
-Djava.net.preferIPv4Stack=true
API Name
core_client_java_opts
Required
false

Gateway Logging Advanced Configuration Snippet (Safety Valve)

Description
For advanced use only, a string to be inserted into log4j.properties for this role only.
Related Name
Default Value
API Name
log4j_safety_valve
Required
false

Logs

Gateway Logging Threshold

Description
The minimum log level for Gateway logs
Related Name
Default Value
INFO
API Name
log_threshold
Required
false

Monitoring

Enable Configuration Change Alerts

Description
When set, Cloudera Manager will send alerts when this entity's configuration changes.
Related Name
Default Value
false
API Name
enable_config_alerts
Required
false

Other

Alternatives Priority

Description
The priority level that the client configuration will have in the Alternatives system on the hosts. Higher priority levels will cause Alternatives to prefer this configuration over any others.
Related Name
Default Value
90
API Name
client_config_priority
Required
true

Resource Management

Client Java Heap Size in Bytes

Description
Maximum size in bytes for the Java process heap memory. Passed to Java -Xmx.
Related Name
Default Value
256 MiB
API Name
core_client_java_heapsize
Required
false

Suppressions

Suppress Configuration Validator: CDH Version Validator

Description
Whether to suppress configuration warnings produced by the CDH Version Validator configuration validator.
Related Name
Default Value
false
API Name
role_config_suppression_cdh_version_validator
Required
true

Suppress Parameter Validation: Deploy Directory

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Deploy Directory parameter.
Related Name
Default Value
false
API Name
role_config_suppression_client_config_root_dir
Required
true

Suppress Parameter Validation: Core Configuration Client Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Core Configuration Client Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh parameter.
Related Name
Default Value
false
API Name
role_config_suppression_core_client_env_safety_valve
Required
true

Suppress Parameter Validation: Client Java Configuration Options

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Client Java Configuration Options parameter.
Related Name
Default Value
false
API Name
role_config_suppression_core_client_java_opts
Required
true

Suppress Parameter Validation: Gateway Logging Advanced Configuration Snippet (Safety Valve)

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Gateway Logging Advanced Configuration Snippet (Safety Valve) parameter.
Related Name
Default Value
false
API Name
role_config_suppression_log4j_safety_valve
Required
true

Service-Wide

Advanced

Core Configuration Service Environment Advanced Configuration Snippet (Safety Valve)

Description
For advanced use only, key-value pairs (one on each line) to be inserted into a role's environment. Applies to configurations of all roles in this service except client configuration.
Related Name
Default Value
API Name
CORE_SETTINGS_service_env_safety_valve
Required
false

Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml

Description
For advanced use only, a string to be inserted into core-site.xml. Applies to all roles and client configurations in this HDFS service as well as all its dependent services. Any configs added here will be overridden by their default values in HDFS (which can be found in hdfs-default.xml).
Related Name
Default Value
API Name
core_site_safety_valve
Required
false

HDFS Advanced Configuration Snippet (Safety Valve) for ssl-client.xml

Description
For advanced use only, a string to be inserted into ssl-client.xml. Applies cluster-wide, but can be overridden by individual services.
Related Name
Default Value
API Name
hdfs_ssl_client_safety_valve
Required
false

System Group

Description
The group that this service's processes should run as (except the HttpFS server, which has its own group)
Related Name
Default Value
hdfs
API Name
process_groupname
Required
true

System User

Description
The user that this service's processes should run as.
Related Name
Default Value
hdfs
API Name
process_username
Required
true

Monitoring

Enable Service Level Health Alerts

Description
When set, Cloudera Manager will send alerts when the health of this service reaches the threshold specified by the EventServer setting eventserver_health_events_alert_threshold
Related Name
Default Value
true
API Name
enable_alerts
Required
false

Enable Configuration Change Alerts

Description
When set, Cloudera Manager will send alerts when this entity's configuration changes.
Related Name
Default Value
false
API Name
enable_config_alerts
Required
false

Service Triggers

Description
The configured triggers for this service. This is a JSON-formatted list of triggers. These triggers are evaluated as part as the health system. Every trigger expression is parsed, and if the trigger condition is met, the list of actions provided in the trigger expression is executed. Each trigger has the following fields:
  • triggerName (mandatory) - The name of the trigger. This value must be unique for the specific service.
  • triggerExpression (mandatory) - A tsquery expression representing the trigger.
  • streamThreshold (optional) - The maximum number of streams that can satisfy a condition of a trigger before the condition fires. By default set to 0, and any stream returned causes the condition to fire.
  • enabled (optional) - By default set to 'true'. If set to 'false', the trigger is not evaluated.
  • expressionEditorConfig (optional) - Metadata for the trigger editor. If present, the trigger should only be edited from the Edit Trigger page; editing the trigger here can lead to inconsistencies.
For example, the following JSON formatted trigger fires if there are more than 10 DataNodes with more than 500 file descriptors opened:[{"triggerName": "sample-trigger", "triggerExpression": "IF (SELECT fd_open WHERE roleType = DataNode and last(fd_open) > 500) DO health:bad", "streamThreshold": 10, "enabled": "true"}]See the trigger rules documentation for more details on how to write triggers using tsquery.The JSON format is evolving and may change and, as a result, backward compatibility is not guaranteed between releases.
Related Name
Default Value
[]
API Name
service_triggers
Required
true

Service Monitor Derived Configs Advanced Configuration Snippet (Safety Valve)

Description
For advanced use only, a list of derived configuration properties that will be used by the Service Monitor instead of the default ones.
Related Name
Default Value
API Name
smon_derived_configs_safety_valve
Required
false

Other

Default Filesystem

Description
The defaultFs to use in the cluster. Leave this blank if the cluster has a storage service which should be used as the defaultFs.
Related Name
core.defaultFs
Default Value
API Name
core_defaultfs
Required
false

Object Store Service

Description
Select an Object Store service to enable cloud storage support. Once enabled, the cloud storage can be used in Impala and Hue services, via fully-qualified URIs.
Related Name
Default Value
API Name
object_store_service
Required
false

Set Rules to Map Kerberos Principals to Lower Case Short Names

Description
Adds mapping rules to map Kerberos principals to lower case short names that will be inserted before the default rule. After changing this value and restarting the service, any services depending on this one must be restarted as well.
Related Name
Default Value
false
API Name
set_auth_to_local_to_lowercase
Required
false

Proxy

HDFS Proxy User Groups

Description
Comma-delimited list of groups to allow the HDFS user to impersonate. The default '*' allows all groups. To disable entirely, use a string that does not correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.hdfs.groups
Default Value
*
API Name
hdfs_proxy_user_groups_list
Required
false

HDFS Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the HDFS user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.hdfs.hosts
Default Value
*
API Name
hdfs_proxy_user_hosts_list
Required
false

Hive Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Hive user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.hive.groups
Default Value
*
API Name
hive_proxy_user_groups_list
Required
false

Hive Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Hive user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.hive.hosts
Default Value
*
API Name
hive_proxy_user_hosts_list
Required
false

HTTP Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the HTTP user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'. This is used by WebHCat.
Related Name
hadoop.proxyuser.HTTP.groups
Default Value
*
API Name
HTTP_proxy_user_groups_list
Required
false

HTTP Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the HTTP user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'. This is used by WebHCat.
Related Name
hadoop.proxyuser.HTTP.hosts
Default Value
*
API Name
HTTP_proxy_user_hosts_list
Required
false

HttpFS Proxy User Groups

Description
Comma-delimited list of groups to allow the HttpFS user to impersonate. The default '*' allows all groups. To disable entirely, use a string that does not correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.httpfs.groups
Default Value
*
API Name
httpfs_proxy_user_groups_list
Required
false

HttpFS Proxy User Hosts

Description
Comma-delimited list of hosts where you allow the HttpFS user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.httpfs.hosts
Default Value
*
API Name
httpfs_proxy_user_hosts_list
Required
false

Hue Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Hue user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.hue.groups
Default Value
*
API Name
hue_proxy_user_groups_list
Required
false

Hue Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Hue user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.hue.hosts
Default Value
*
API Name
hue_proxy_user_hosts_list
Required
false

Impala Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Impala user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.impala.groups
Default Value
*
API Name
impala_proxy_user_groups_list
Required
false

Impala Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Impala user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.impala.hosts
Default Value
*
API Name
impala_proxy_user_hosts_list
Required
false

Knox Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Knox user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.knox.groups
Default Value
*
API Name
knox_proxy_user_groups_list
Required
false

Knox Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Knox user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.knox.hosts
Default Value
*
API Name
knox_proxy_user_hosts_list
Required
false

Kudu Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Kudu user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.kudu.groups
Default Value
*
API Name
kudu_proxy_user_groups_list
Required
false

Kudu Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Kudu user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.kudu.hosts
Default Value
*
API Name
kudu_proxy_user_hosts_list
Required
false

Livy Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Livy user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.livy.groups
Default Value
*
API Name
livy_proxy_user_groups_list
Required
false

Livy Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Livy user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.livy.hosts
Default Value
*
API Name
livy_proxy_user_hosts_list
Required
false

Oozie Proxy User Groups

Description
Allows the oozie superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.oozie.groups
Default Value
*
API Name
oozie_proxy_user_groups_list
Required
false

Oozie Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the oozie user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.oozie.hosts
Default Value
*
API Name
oozie_proxy_user_hosts_list
Required
false

Phoenix Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the Phoenix user to impersonate. The default '*' allows all groups. To disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.phoenix.groups
Default Value
*
API Name
phoenix_proxy_user_groups_list
Required
false

Phoenix Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Phoenix user to impersonate other users. The default '*' allows all hosts. To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.phoenix.hosts
Default Value
*
API Name
phoenix_proxy_user_hosts_list
Required
false

Service Monitor Proxy User Groups

Description
Allows the Cloudera Service Monitor user to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. This property is used only if Service Monitor is using a different Kerberos principal than the Hue service. To disable entirely, use a string that does not correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.smon.groups
Default Value
*
API Name
smon_proxy_user_groups_list
Required
false

Service Monitor Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Cloudera Service Monitor user to impersonate other users. The default '*' allows all hosts. This property is used only if Service Monitor is using a different Kerberos principal than the Hue service. To disable entirely, use a string that does not correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.smon.hosts
Default Value
*
API Name
smon_proxy_user_hosts_list
Required
false

Telemetry Publisher Proxy User Groups

Description
Allows the Cloudera Telemetry Publisher user to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. This property is used only if Telemetry Publisher is using a different Kerberos principal than the Hue service. To disable entirely, use a string that does not correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.telepub.groups
Default Value
*
API Name
telepub_proxy_user_groups_list
Required
false

Telemetry Publisher Proxy User Hosts

Description
Comma-delimited list of hosts where you want to allow the Cloudera Telemetry Publisher user to impersonate other users. The default '*' allows all hosts. This property is used only if Telemetry Publisher is using a different Kerberos principal than the Hue service. To disable entirely, use a string that does not correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.telepub.hosts
Default Value
*
API Name
telepub_proxy_user_hosts_list
Required
false

YARN Proxy User Groups

Description
Comma-delimited list of groups that you want to allow the YARN user to impersonate. The default '*' allows all groups. To disable entirely, use a string that does not correspond to a group name, such as '_no_group_'.
Related Name
hadoop.proxyuser.yarn.groups
Default Value
*
API Name
yarn_proxy_user_groups_list
Required
false

YARN Proxy User Hosts

Description
Comma-delimited list of hosts that you want to allow the YARN user to impersonate. The default '*' allows all hosts. To disable entirely, use a string that does not correspond to a host name, such as '_no_host'.
Related Name
hadoop.proxyuser.yarn.hosts
Default Value
*
API Name
yarn_proxy_user_hosts_list
Required
false

Security

Additional Rules to Map Kerberos Principals to Short Names

Description
Additional mapping rules that will be inserted before rules generated from the list of trusted realms and before the default rule. After changing this value and restarting the service, any services depending on this one must be restarted as well. The hadoop.security.auth_to_local property is configured using this information. Default rules are generated by Cloudera Manager and substituted in place of the literal {DEFAULT_RULES} if it is specified in this value.
Related Name
Default Value
DEFAULT_RULES
API Name
extra_auth_to_local_rules
Required
false

Authorized Admin Groups

Description
Comma-separated list of groups authorized to perform admin operations on Hadoop. This is emitted only if authorization is enabled.
Related Name
Default Value
API Name
hadoop_authorized_admin_groups
Required
false

Authorized Admin Users

Description
Comma-separated list of users authorized to perform admin operations on Hadoop. This is emitted only if authorization is enabled.
Related Name
Default Value
*
API Name
hadoop_authorized_admin_users
Required
false

Authorized Groups

Description
Comma-separated list of groups authorized to used Hadoop. This is emitted only if authorization is enabled.
Related Name
Default Value
API Name
hadoop_authorized_groups
Required
false

Authorized Users

Description
Comma-separated list of users authorized to used Hadoop. This is emitted only if authorization is enabled.
Related Name
Default Value
*
API Name
hadoop_authorized_users
Required
false

Hadoop User Group Mapping Search Base

Description
The search base for the LDAP connection. This is a distinguished name, and will typically be the root of the LDAP directory.
Related Name
hadoop.security.group.mapping.ldap.base
Default Value
API Name
hadoop_group_mapping_ldap_base
Required
false

Hadoop User Group Mapping LDAP Bind User Password

Description
The password of the bind user.
Related Name
hadoop.security.group.mapping.ldap.bind.password
Default Value
API Name
hadoop_group_mapping_ldap_bind_passwd
Required
false

Hadoop User Group Mapping LDAP Bind User Distinguished Name

Description
Distinguished name of the user to bind to AD as for user authentication search/bind and group lookup for role authorization. For openLDAP based directories this should be a DN string, for Active Directory this can be just a username, combined with the "Active Directory Domain" value for login. For example username in the field and example.com in the active directory domain will result in the User Principal Name value of username@example.com being used to bind. If you put a UPM value here, do not over-configure the "active directory domain" field otherwise you will end up presenting username@example.com@example.com for binds. AD will accept a UPN value or the DN value as a valid Bind DN; An example of a Distinguished Name (DN): CN=cdh admin,OU=svcaccount,DC=example,DC=com An example of a UPN value: cdhadmin@example.com
Related Name
hadoop.security.group.mapping.ldap.bind.user
Default Value
API Name
hadoop_group_mapping_ldap_bind_user
Required
false

Hadoop User Group Mapping LDAP Group Search Filter

Description
An additional filter to use when searching for groups.
Related Name
hadoop.security.group.mapping.ldap.search.filter.group
Default Value
(objectClass=group)
API Name
hadoop_group_mapping_ldap_group_filter
Required
false

Hadoop User Group Mapping LDAP Group Name Attribute

Description
The attribute of the group object that identifies the group name. The default will usually be appropriate for all LDAP systems.
Related Name
hadoop.security.group.mapping.ldap.search.attr.group.name
Default Value
cn
API Name
hadoop_group_mapping_ldap_group_name_attr
Required
false

Hadoop User Group Mapping LDAP TLS/SSL Truststore

Description
File path to a jks-format truststore containing the TLS/SSL certificate used sign the LDAP server's certificate. Note that in previous releases this was erroneously referred to as a "keystore".
Related Name
hadoop.security.group.mapping.ldap.ssl.keystore
Default Value
API Name
hadoop_group_mapping_ldap_keystore
Required
false

Hadoop User Group Mapping LDAP TLS/SSL Truststore Password

Description
The password for the TLS/SSL truststore.
Related Name
hadoop.security.group.mapping.ldap.ssl.keystore.password
Default Value
API Name
hadoop_group_mapping_ldap_keystore_passwd
Required
false

Hadoop User Group Mapping LDAP Group Membership Attribute

Description
The attribute of the group object that identifies the users that are members of the group. The default will usually be appropriate for any LDAP installation.
Related Name
hadoop.security.group.mapping.ldap.search.attr.member
Default Value
member
API Name
hadoop_group_mapping_ldap_member_attr
Required
false

Hadoop User Group Mapping LDAP URL

Description
The URL of the LDAP Server. The URL must be prefixed with ldap:// or ldaps:// . The URL can optionally specify a custom port if necessary, but by default the ldap:// will connect to port 389, and the ldaps:// will connect to port 636. Note that passwords will be in the clear if ldap:// is used, and by fall 2020 Active directory servers will no longer allow non LDAPS connections to bind to AD hosts with LDAP signing enabled. See microsoft knowledge document 935834 for more information.
Related Name
hadoop.security.group.mapping.ldap.url
Default Value
API Name
hadoop_group_mapping_ldap_url
Required
false

Hadoop User Group Mapping LDAP TLS/SSL Enabled

Description
Whether or not to use TLS/SSL when connecting to the LDAP server.
Related Name
hadoop.security.group.mapping.ldap.use.ssl
Default Value
false
API Name
hadoop_group_mapping_ldap_use_ssl
Required
false

Hadoop User Group Mapping LDAP User Search Filter

Description
An additional filter to use when searching for LDAP users. The default will usually be appropriate for Active Directory installations. If connecting to a generic LDAP server, ''sAMAccountName'' will likely be replaced with ''uid''. {0} is a special string used to denote where the username fits into the filter.
Related Name
hadoop.security.group.mapping.ldap.search.filter.user
Default Value
(&(objectClass=user)(sAMAccountName=0))
API Name
hadoop_group_mapping_ldap_user_filter
Required
false

Hadoop HTTP Authentication Cookie Domain

Description
The domain to use for the HTTP cookie that stores the authentication token. In order for authentiation to work correctly across all Hadoop nodes' web-consoles the domain must be correctly set. Important: when using IP addresses, browsers ignore cookies with domain settings. For this setting to work properly all nodes in the cluster must be configured to generate URLs with hostname.domain names on it.
Related Name
Default Value
API Name
hadoop_http_auth_cookie_domain
Required
false

Hadoop RPC Protection

Description
Quality of protection for secured RPC connections between NameNode and HDFS clients. For effective RPC protection, enable Kerberos authentication.
Related Name
hadoop.rpc.protection
Default Value
authentication
API Name
hadoop_rpc_protection
Required
false

Hadoop Secure Authentication

Description
Choose the authentication mechanism used by Hadoop
Related Name
hadoop.security.authentication
Default Value
simple
API Name
hadoop_security_authentication
Required
false

Hadoop Secure Authorization

Description
Enable authorization
Related Name
hadoop.security.authorization
Default Value
false
API Name
hadoop_security_authorization
Required
false

Hadoop User Group Mapping Implementation

Description
Class for user to group mapping (get groups for a given user).
Related Name
hadoop.security.group.mapping
Default Value
org.apache.hadoop.security.ShellBasedUnixGroupsMapping
API Name
hadoop_security_group_mapping
Required
false

Encryption Key Default Length

Description
The length (bits) of keys we want the KeyProvider to produce. Key length defines the upper-bound on an algorithm's security, ideally, it would coincide with the lower-bound on an algorithm's security.
Related Name
hadoop.security.key.default.bitlength
Default Value
128
API Name
hdfs_encryption_key_length
Required
false

Hadoop TLS/SSL Enabled

Description
Enable TLS/SSL encryption for HDFS, MapReduce, and YARN web UIs, as well as encrypted shuffle for MapReduce and YARN.
Related Name
hadoop.ssl.enabled
Default Value
false
API Name
hdfs_hadoop_ssl_enabled
Required
false

Kerberos Principal

Description
Kerberos principal short name used by all roles of this service.
Related Name
Default Value
hdfs
API Name
kerberos_princ_name
Required
true

Log and Query Redaction Policy

Description
Note: Do not edit this property in the classic layout. Switch to the new layout to use preconfigured redaction rules and test your rules inline.Use this property to define a list of rules to be followed for redacting sensitive information from log files and query strings. Click + to add a new redaction rule. You can choose one of the preconfigured rules or add a custom rule. When specifying a custom rule, the Search field should contain a regular expression that will be matched against the data. If a match is found, it is replaced by the contents of the Replace field.Trigger is an optional field. It can be used to specify a simple string to be searched in the data. If the string is found, the redactor attempts to find a match for the Search regex. If no trigger is specified, redaction occurs by matching the Search regular expression. Use the Trigger field to enhance performance: simple string matching is faster than regular expression matching.Test your rules by entering sample text into the Test Redaction Rules text box and clicking Test Redaction. If no rules match, the text you entered is returned unchanged.
Related Name
redaction_policy
Default Value
version: 1, rules: [ description: Redact passwords from json files, trigger: password, search: \password\[ ]*:[ ]*\[^\]+\, caseSensitive: false, replace: \password\: \LOG-REDACTED\ , description: Redact password\u003d and password:, trigger: password, search: password[:\u003d][^ \\\\\]+, caseSensitive: false, replace: password\u003dLOG-REDACTED , description: Redact passwd\u003d and passwd:, trigger: passwd, search: passwd[:\u003d][^ \\\\\]+, caseSensitive: false, replace: passwd\u003dLOG-REDACTED , description: Redact pass\u003d and pass:, trigger: pass, search: pass[:\u003d][^ \\\\\]+, caseSensitive: false, replace: pass\u003dLOG-REDACTED , description: Redact PASSWORD, , trigger: PASSWORD, , search: PASSWORD, [^\\\\\]+, caseSensitive: false, replace: PASSWORD, LOG-REDACTED , description: Redact secret\u003d and secret:, trigger: secret, search: secret[:\u003d][^ \\\\\]+, caseSensitive: false, replace: secret\u003dLOG-REDACTED , description: Credit Card numbers (with separator), search: \\d4[^\\w:]\\d4[^\\w:]\\d4[^\\w:]\\d4, caseSensitive: true, replace: XXXX-XXXX-XXXX-XXXX , description: Social Security numbers (with separator), search: \\d3[^\\w:]\\d2[^\\w:]\\d4, caseSensitive: true, replace: XXX-XX-XXXX ]
API Name
redaction_policy
Required
false

Enable Log and Query Redaction

Description
Enable/Disable the Log and Query Redaction Policy for this cluster.
Related Name
redaction_policy_enabled
Default Value
true
API Name
redaction_policy_enabled
Required
false

Enable Security Audit Logger

Description
Enable security audit logger for HDFS and dependent services
Related Name
security_logger_enabled
Default Value
true
API Name
security_logger_enabled
Required
false

Cluster-Wide Default TLS/SSL Client Truststore Location

Description
Path to the TLS/SSL client truststore file. Defines a cluster-wide default that can be overridden by individual services. This truststore must be in JKS format. The truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers. The contents of the truststore can be modified without restarting any roles. By default, changes to its contents are picked up within ten seconds. If not set, the default Java truststore is used to verify certificates.
Related Name
ssl.client.truststore.location
Default Value
API Name
ssl_client_truststore_location
Required
false

Cluster-Wide Default TLS/SSL Client Truststore Password

Description
Password for the TLS/SSL client truststore. Defines a cluster-wide default that can be overridden by individual services.
Related Name
ssl.client.truststore.password
Default Value
API Name
ssl_client_truststore_password
Required
false

HTTP Strict Transport Security

Description
HTTP Strict Transport Security (HSTS) ensures that a web browser does not load the service information using http protocol.
Related Name
hadoop.http.header.Strict_Transport_Security
Default Value
max-age=0; includeSubDomains
API Name
strict_transport_security
Required
false

Trusted Kerberos Realms

Description
List of Kerberos realms that Hadoop services should trust. If empty, defaults to the default_realm property configured in the krb5.conf file. After changing this value and restarting the service, all services depending on this service must also be restarted. Adds mapping rules for each domain to the hadoop.security.auth_to_local property in core-site.xml.
Related Name
Default Value
API Name
trusted_realms
Required
false

Suppressions

Suppress Configuration Validator: CDH Version Validator

Description
Whether to suppress configuration warnings produced by the CDH Version Validator configuration validator.
Related Name
Default Value
false
API Name
role_config_suppression_cdh_version_validator
Required
true

Suppress Configuration Validator: Deploy Directory

Description
Whether to suppress configuration warnings produced by the Deploy Directory configuration validator.
Related Name
Default Value
false
API Name
role_config_suppression_client_config_root_dir
Required
true

Suppress Configuration Validator: Core Configuration Client Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh

Description
Whether to suppress configuration warnings produced by the Core Configuration Client Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh configuration validator.
Related Name
Default Value
false
API Name
role_config_suppression_core_client_env_safety_valve
Required
true

Suppress Configuration Validator: Client Java Configuration Options

Description
Whether to suppress configuration warnings produced by the Client Java Configuration Options configuration validator.
Related Name
Default Value
false
API Name
role_config_suppression_core_client_java_opts
Required
true

Suppress Configuration Validator: Gateway Logging Advanced Configuration Snippet (Safety Valve)

Description
Whether to suppress configuration warnings produced by the Gateway Logging Advanced Configuration Snippet (Safety Valve) configuration validator.
Related Name
Default Value
false
API Name
role_config_suppression_log4j_safety_valve
Required
true

Suppress Parameter Validation: Default Filesystem

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Default Filesystem parameter.
Related Name
Default Value
false
API Name
service_config_suppression_core_defaultfs
Required
true

Suppress Parameter Validation: Core Configuration Service Environment Advanced Configuration Snippet (Safety Valve)

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Core Configuration Service Environment Advanced Configuration Snippet (Safety Valve) parameter.
Related Name
Default Value
false
API Name
service_config_suppression_core_settings_service_env_safety_valve
Required
true

Suppress Parameter Validation: Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml parameter.
Related Name
Default Value
false
API Name
service_config_suppression_core_site_safety_valve
Required
true

Suppress Parameter Validation: Additional Rules to Map Kerberos Principals to Short Names

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Additional Rules to Map Kerberos Principals to Short Names parameter.
Related Name
Default Value
false
API Name
service_config_suppression_extra_auth_to_local_rules
Required
true

Suppress Configuration Validator: Gateway Count Validator

Description
Whether to suppress configuration warnings produced by the Gateway Count Validator configuration validator.
Related Name
Default Value
false
API Name
service_config_suppression_gateway_count_validator
Required
true

Suppress Parameter Validation: Authorized Admin Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Authorized Admin Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_authorized_admin_groups
Required
true

Suppress Parameter Validation: Authorized Admin Users

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Authorized Admin Users parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_authorized_admin_users
Required
true

Suppress Parameter Validation: Authorized Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Authorized Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_authorized_groups
Required
true

Suppress Parameter Validation: Authorized Users

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Authorized Users parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_authorized_users
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping Search Base

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping Search Base parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_base
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP Bind User Password

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP Bind User Password parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_bind_passwd
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP Bind User Distinguished Name

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP Bind User Distinguished Name parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_bind_user
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP Group Search Filter

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP Group Search Filter parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_group_filter
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP Group Name Attribute

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP Group Name Attribute parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_group_name_attr
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP TLS/SSL Truststore

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP TLS/SSL Truststore parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_keystore
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP TLS/SSL Truststore Password

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP TLS/SSL Truststore Password parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_keystore_passwd
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP Group Membership Attribute

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP Group Membership Attribute parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_member_attr
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP URL

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP URL parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_url
Required
true

Suppress Parameter Validation: Hadoop User Group Mapping LDAP User Search Filter

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop User Group Mapping LDAP User Search Filter parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_group_mapping_ldap_user_filter
Required
true

Suppress Parameter Validation: Hadoop HTTP Authentication Cookie Domain

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hadoop HTTP Authentication Cookie Domain parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hadoop_http_auth_cookie_domain
Required
true

Suppress Configuration Validator: HDFS Authentication And Authorization Validation

Description
Whether to suppress configuration warnings produced by the HDFS Authentication And Authorization Validation configuration validator.
Related Name
Default Value
false
API Name
service_config_suppression_hdfs_authentication_and_authorization_validator
Required
true

Suppress Parameter Validation: HDFS Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HDFS Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hdfs_proxy_user_groups_list
Required
true

Suppress Parameter Validation: HDFS Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HDFS Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hdfs_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: HDFS Advanced Configuration Snippet (Safety Valve) for ssl-client.xml

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HDFS Advanced Configuration Snippet (Safety Valve) for ssl-client.xml parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hdfs_ssl_client_safety_valve
Required
true

Suppress Parameter Validation: Hive Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hive Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hive_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Hive Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hive Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hive_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: HTTP Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HTTP Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_http_proxy_user_groups_list
Required
true

Suppress Parameter Validation: HTTP Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HTTP Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_http_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: HttpFS Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HttpFS Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_httpfs_proxy_user_groups_list
Required
true

Suppress Parameter Validation: HttpFS Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HttpFS Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_httpfs_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Hue Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hue Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hue_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Hue Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Hue Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_hue_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Impala Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Impala Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_impala_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Impala Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Impala Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_impala_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Kerberos Principal

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Kerberos Principal parameter.
Related Name
Default Value
false
API Name
service_config_suppression_kerberos_princ_name
Required
true

Suppress Parameter Validation: Knox Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Knox Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_knox_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Knox Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Knox Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_knox_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Kudu Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Kudu Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_kudu_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Kudu Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Kudu Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_kudu_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Livy Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Livy Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_livy_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Livy Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Livy Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_livy_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Oozie Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Oozie Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_oozie_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Oozie Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Oozie Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_oozie_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Phoenix Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Phoenix Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_phoenix_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Phoenix Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Phoenix Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_phoenix_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: System Group

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the System Group parameter.
Related Name
Default Value
false
API Name
service_config_suppression_process_groupname
Required
true

Suppress Parameter Validation: System User

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the System User parameter.
Related Name
Default Value
false
API Name
service_config_suppression_process_username
Required
true

Suppress Parameter Validation: Log and Query Redaction Policy

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Log and Query Redaction Policy parameter.
Related Name
Default Value
false
API Name
service_config_suppression_redaction_policy
Required
true

Suppress Configuration Validator: Redaction Policy Validator

Description
Whether to suppress configuration warnings produced by the Redaction Policy Validator configuration validator.
Related Name
Default Value
false
API Name
service_config_suppression_redaction_policy_validator
Required
true

Suppress Configuration Validator: Hadoop RPC Protection validator

Description
Whether to suppress configuration warnings produced by the Hadoop RPC Protection validator configuration validator.
Related Name
Default Value
false
API Name
service_config_suppression_rpc_protection_validator
Required
true

Suppress Parameter Validation: Service Triggers

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Service Triggers parameter.
Related Name
Default Value
false
API Name
service_config_suppression_service_triggers
Required
true

Suppress Parameter Validation: Service Monitor Derived Configs Advanced Configuration Snippet (Safety Valve)

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Service Monitor Derived Configs Advanced Configuration Snippet (Safety Valve) parameter.
Related Name
Default Value
false
API Name
service_config_suppression_smon_derived_configs_safety_valve
Required
true

Suppress Parameter Validation: Service Monitor Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Service Monitor Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_smon_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Service Monitor Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Service Monitor Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_smon_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Cluster-Wide Default TLS/SSL Client Truststore Location

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Cluster-Wide Default TLS/SSL Client Truststore Location parameter.
Related Name
Default Value
false
API Name
service_config_suppression_ssl_client_truststore_location
Required
true

Suppress Parameter Validation: Cluster-Wide Default TLS/SSL Client Truststore Password

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Cluster-Wide Default TLS/SSL Client Truststore Password parameter.
Related Name
Default Value
false
API Name
service_config_suppression_ssl_client_truststore_password
Required
true

Suppress Parameter Validation: HTTP Strict Transport Security

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the HTTP Strict Transport Security parameter.
Related Name
Default Value
false
API Name
service_config_suppression_strict_transport_security
Required
true

Suppress Parameter Validation: Telemetry Publisher Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Telemetry Publisher Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_telepub_proxy_user_groups_list
Required
true

Suppress Parameter Validation: Telemetry Publisher Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Telemetry Publisher Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_telepub_proxy_user_hosts_list
Required
true

Suppress Parameter Validation: Trusted Kerberos Realms

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the Trusted Kerberos Realms parameter.
Related Name
Default Value
false
API Name
service_config_suppression_trusted_realms
Required
true

Suppress Parameter Validation: YARN Proxy User Groups

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the YARN Proxy User Groups parameter.
Related Name
Default Value
false
API Name
service_config_suppression_yarn_proxy_user_groups_list
Required
true

Suppress Parameter Validation: YARN Proxy User Hosts

Description
Whether to suppress configuration warnings produced by the built-in parameter validation for the YARN Proxy User Hosts parameter.
Related Name
Default Value
false
API Name
service_config_suppression_yarn_proxy_user_hosts_list
Required
true