Cloudera Manager Server Properties
Advanced
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Command Eviction Age | Length of time after which inactive commands are evicted from the database. Default is two years. | 730 day(s) | command_eviction_age_hours | true | |
Cloudera Manager Server Local Data Storage Directory | Local path used by Cloudera Manager for storing data, including command result files. Note that changes to this configuration will only apply to commands started after the change. It is highly recommended that existing data be migrated over to the new location for the data to be accessible via and managed by Cloudera Manager. | /var/lib/cloudera-scm-server | command_storage_path | false | |
Enable Debugging of API | When enabled, the server log will contain traces of all API calls. | false | enable_api_debug | true | |
Agent Heartbeat Logging Directory | Specifies the location where Agent heartbeat requests and responses should be logged, for debugging purposes. If empty, logging is disabled. | heartbeat_logging_dir | false | ||
Single User Mode | Configure all clusters to run in single user mode where the Cloudera Manager agent and all service processes run as the same system user. Only supported for CDH 5.2 and higher. | false | single_user_enabled | true | |
Single User Mode Group | System group to use for agent and service processes in single user mode. | cloudera-scm | single_user_group | true | |
Single User Mode User | System user to use for agent and service processes in single user mode. | cloudera-scm | single_user_name | true | |
Maximum Number of Time-Series Streams Returned Per Heatmap | The maximum number of time-series streams returned by a single time-series heatmap query. The default is 10,000 streams. This value can be set higher, but increasing it may negatively impact chart performance and may require more resources be given to the Cloudera Manager Server, Host Monitor, and Service Monitor. | 10000 | tsquery_heatmap_streams_limit | true | |
Maximum Number of Time-Series Streams Returned Per Scatter Plot | The maximum number of time-series streams returned by a single time-series scatter plot. The default is 1000 streams. This value can be set higher, but increasing it may negatively impact chart performance and may require more resources be given to the Cloudera Manager Server, Host Monitor, and Service Monitor. | 1000 | tsquery_scatter_streams_limit | true | |
Maximum Number Of Time-Series Streams Returned Per Line-Based Chart | The maximum number of time-series streams that will be returned by a single time-series query. The default is 250 streams. This value can be set higher, but increasing it may negatively impact chart performance and may require more resources be given to the Cloudera Manager Server, Host Monitor, and Service Monitor. | 250 | tsquery_streams_limit | true | |
Maximum Number of Time-Series Streams Returned Per Table | The maximum number of time-series streams returned in a single time-series table. The default is 2000 streams. This value can be set higher, but increasing it may negatively impact chart performance and may require more resources be given to the Cloudera Manager Server, Host Monitor, and Service Monitor. | 2000 | tsquery_table_streams_limit | true |
Custom Service Descriptors
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Enable Local Descriptor Repository | When enabled, the server will read custom service descriptors from the local filesystem. | true | csd_repo_enabled | true | |
Local Descriptor Repository Path | Path to the local repository where custom service descriptors are located. | /opt/cloudera/csd | csd_repo_path | true |
External Authentication
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Authentication Backend Order | The order in which authentication backends are used for authenticating a user. | DB_ONLY | auth_backend_order | true | |
External Authentication Program Path | An external program to use to authenticate users. Username is passed as the first command line argument. The password is passed over stdin. Program exit code should be 0 for successful authentication of a regular user, 1 for successful authentication of an admin user, 2 for successful authentication of a limited operator user, 3 for successful authentication of an operator user, 4 for successful authentication of a configurator user, 5 for successful authentication of a Cluster admin user, 6 for successful authentication of a BDR admin user, 7 for successful authentication of a Navigator admin user, 8 for successful authentication of a User admin user, 9 for successful authentication of an Auditor user, and a negative value for failure. A failure description can be printed to stderr. | auth_script | false | ||
LDAP Full Administrator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted Full admin access on login. | ldap_admin_groups | false | ||
LDAP Auditor Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted Auditor access on login. | ldap_auditor_groups | false | ||
LDAP BDR Administrator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted BDR admin access on login. | ldap_bdr_admin_groups | false | ||
LDAP Bind User Distinguished Name | Distinguished name of the user to bind as for searches. | ldap_bind_dn | false | ||
LDAP Bind Password | Password for the bind user | ldap_bind_pw | false | ||
LDAP Cluster Administrator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted Cluster admin access on login. | ldap_cluster_admin_groups | false | ||
LDAP Configurator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted configurator access on login. | ldap_configurator_groups | false | ||
LDAP Distinguished Name Pattern | For use with non-Active Directory LDAP systems. This is a pattern that will be used to search for the distinguished name of a user during authentication. Use "{0}" to specify where the username should go, e.g. "uid={0},ou=People". | ldap_dn_pattern | false | ||
LDAP Group Search Base | A base distinguished name for searching for groups. | ldap_group_search_base | false | ||
LDAP Group Search Filter | A search filter for finding groups. Typically, this will be (member={0}), where {0} will be replaced by the DN of a successfully authenticated user. | ldap_group_search_filter | false | ||
LDAP Limited Operator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted limited operator access on login. | ldap_limited_groups | false | ||
LDAP Navigator Administrator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted Navigator admin access on login. | ldap_navigator_admin_groups | false | ||
LDAP Operator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted operator access on login. | ldap_operator_groups | false | ||
External Authentication Type | The type of external authentication to use. | ACTIVE_DIRECTORY | ldap_type | true | |
LDAP URL | URL of the LDAP server to authenticate against | ldap_url | false | ||
LDAP User Administrator Groups | A list of LDAP group names. If a user is a member of one of the configured groups, that user is granted User admin access on login. | ldap_user_admin_groups | false | ||
LDAP User Groups | A list of LDAP group names. If a user is not a member of one of the configured groups, that user is prevented from logging into Cloudera Manager. If this is left empty, all LDAP users can log in. | ldap_user_groups | false | ||
LDAP User Search Base | A base distinguished name for searching for users. This may be used as a fallback mechanism if the DN pattern does not match any user. | ldap_user_search_base | false | ||
LDAP User Search Filter | A search filter for finding users. Typically, this will be (uid={0}), where {0} will be replaced by the username that was used at the login screen. | ldap_user_search_filter | false | ||
Active Directory NT Domain | Active Directory NT Domain to authenticate against | nt_domain | false | ||
SAML Entity Base URL | The Base URL used to construct redirect URLs reported in this server's SP metadata. Leave this blank to let the server calculate the base URL itself. | saml_entity_base_url | false | ||
SAML Entity ID | The ID that Cloudera Manager will use to identify itself to the IDP. This value should be unique to this Cloudera Manager installation. | clouderaManager | saml_entity_id | true | |
Alias of SAML Sign/Encrypt Private Key | The alias used to identify the sign/encrypt private key in the SAML keystore. | saml_key_alias | false | ||
SAML Sign/Encrypt Private Key Password | The password for the sign/encrypt private key in the SAML keystore. | saml_key_password | false | ||
SAML Keystore Password | The password for the SAML keystore. | saml_keystore_password | false | ||
Path to SAML Keystore File | The filesystem path to the keystore file containing the SP private key and any necessary public certificates to validate the IDP. | saml_keystore_path | false | ||
SAML Login URL | If your IDP does not support SP-initiated SSO (very uncommon), you use a separate login URL, outside of Cloudera Manager. Provide that URL here so that Cloudera Manager can use it when a user needs to log in. | saml_login_url | false | ||
Path to SAML IDP Metadata File | The filesystem path to the IDP metadata XML file. | saml_metadata_path | false | ||
SAML Attribute Identifier for User Role | The URN OID that will identify the user's role in the SAML attributes. Only has an effect when 'Attribute' based role assignment is used. | urn:oid:2.5.4.11 | saml_oid_role | true | |
SAML Attribute Identifier for User ID | The URN OID that will identify the user's ID in the SAML attributes. | urn:oid:0.9.2342.19200300.100.1.1 | saml_oid_user | true | |
SAML Response Binding | The SAML Binding format that the IDP is asked to use when sending authentication responses. | ARTIFACT | saml_response_binding | true | |
SAML Attribute Values for Roles | The values that will appear in the SAML role attribute for each Cloudera Manager role. The first value corresponds to the Full Administrator role. The second value corresponds to the Read-Only role. The third value corresponds to the Limited Operator role. The fourth value corresponds to the Operator role. The fifth value corresponds to the Configurator role. | admin, user, limited, operator, configurator, clusterAdmin, bdrAdmin, navAdmin, userAdmin, auditor | saml_role_map | true | |
SAML Role Assignment Mechanism | The mechanism to use for assigning roles to users. 'Attribute' assigns roles based on a SAML attribute. 'Script' assigns roles based on the result of an external script. | ATTRIBUTE | saml_role_mapper | true | |
Path to SAML Role Assignment Script | An external script (or binary) to use to assign roles to SAML users. The username is passed as the first command-line argument. Program exit code should be: 0 for Full Administrator, 1 for Read-Only, 2 for Limited Operator, 3 for Operator, 4 for Configurator, 5 for successful authentication of a Cluster admin user, 6 for successful authentication of a BDR admin user, 7 for successful authentication of a Navigator admin user, 8 for successful authentication of a User admin user, 9 for successful authentication of an Auditor user, and a negative value for failure. | saml_role_script | false | ||
Source of User ID in SAML Response | Whether the user ID should be obtained from the SAML response's NameID field or from an attribute | ATTRIBUTE | saml_user_source | true |
Kerberos
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Active Directory Account Prefix | Prefix used in names while creating accounts in Active Directory. The prefix can be up to 10 characters long and can be set to identify accounts used for authentication by CDH processes. Used only if Active Directory KDC is used for authentication. | ad_account_prefix | true | ||
Active Directory Suffix | Active Directory suffix where all the accounts used by CDH daemons will be created. Used only if Active Directory KDC is being used for authentication. | ou=hadoop, DC=hadoop, DC=com | ad_kdc_domain | true | |
Active Directory LDAPS Port | Port to use for LDAP over SSL when using Active Directory for authentication. | 636 | ad_ldaps_port | true | |
Custom Kerberos Keytab Retrieval Script | Specify the path to a custom script (or executable) to retrieve a Kerberos keytab. The script should take two arguments: a destination file to write the keytab to, and the full principal name to retrieve the key for. If this property is specified, Cloudera Manager ignores all other properties specified for Kerberos setup. | gen_keytab_script | false | ||
Active Directory Domain Controller Override | If multiple Active Directory Domain Controllers are behind a load-balancer, Cloudera Manager should be provided with the address of one of them. Cloudera Manager then sends commands to create accounts to that Domain Controller only. Note: This setting is used only while creating accounts. CDH services use the value entered in the KDC Server Host field only while authenticating. | kdc_account_creation_host_override | false | ||
KDC Server Host | Host where the KDC server is located. | kdc | kdc_host | false | |
KDC Type | Type of KDC used for authentication in CDH clusters | MIT KDC | kdc_type | true | |
DNS Lookup KDC | Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. | dns_lookup_kdc | false | krb_dns_lookup_kdc | true |
Kerberos Encryption Types | Encryption types supported by KDC. Note: To use AES encryption, make sure you have deployed JCE Unlimited Strength Policy File by following the instructions here. | rc4-hmac | krb_enc_types | false | |
Forwardable Tickets | If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. | forwardable | true | krb_forwardable | true |
Advanced Configuration Snippet (Safety Valve) for [libdefaults] section of krb5.conf | For advanced use only. Any text here will be emitted verbatim in the [libdefaults] section of krb5.conf. | krb_libdefaults_safety_valve | false | ||
Manage krb5.conf through Cloudera Manager | Whether Cloudera Manager should configure and deploy krb5.conf on secure clusters. If this property is not checked, then you must ensure that krb5.conf is deployed on hosts in a secure cluster as well as on Cloudera Manager Server's host. | false | krb_manage_krb5_conf | false | |
Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf | For advanced use only. Cloudera Manager configures only the [libdefaults] and [realms] section of krb5.conf. Any text here will be emitted verbatim after them in krb5.conf. | krb_other_safety_valve | false | ||
Advanced Configuration Snippet (Safety Valve) for the Default Realm in krb5.conf | For advanced use only. Any text here will be emitted verbatim in the [realms] section of krb5.conf for the specified security realm. If you want to add realms besides the default one, configure them using Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf. | krb_realms_safety_valve | false | ||
Kerberos Renewable Lifetime | Default renewable lifetime for initial ticket requests. | renew_lifetime | 7 day(s) | krb_renew_lifetime | true |
Kerberos Ticket Lifetime | Default lifetime for initial ticket requests. | ticket_lifetime | 1 day(s) | krb_ticket_lifetime | true |
Maximum Renewable Life for Principals | Maximum renewable lifetime for Kerberos principals generated by Cloudera Manager. This property is used only if MIT KDC is used. Set this property to zero if the KDC should provide the maximum renewable lifetime. Note: Principals with non-renewable tickets are not recommended because they can prevent Hadoop services from functioning. | 5 day(s) | max_renew_life | true | |
Kerberos Security Realm | The realm to use for Kerberos security. Note: Changing this setting would clear up all existing credentials and keytabs from Cloudera Manager. | default_realm | HADOOP.COM | security_realm | true |
Monitoring
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Set health status to Bad if the Agent heartbeats fail | If an Agent fails to send this number of expected consecutive heartbeats to the Server, a "Bad" health status is assigned to that Agent. | 10 time(s) | missed_hb_bad | true | |
Set health status to Concerning if the Agent heartbeats fail | If an Agent fails to send this number of expected consecutive heartbeats to the Server, a "Concerning" health status is assigned to that Agent. | 5 time(s) | missed_hb_concerning | true |
Network
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Proxy Password | The basic authentication password for the proxy. | parcel_proxy_password | false | ||
Proxy Port | The port for the proxy server to be used when the Cloudera Manager Server accesses the Internet, such as when downloading parcels and uploading diagnostic data. | parcel_proxy_port | false | ||
Proxy Protocol | The protocol to use for the proxy server when the Cloudera Manager Server accesses the Internet, such as when downloading parcels and uploading diagnostic data. | HTTP | parcel_proxy_protocol | true | |
Proxy Server | The proxy server to be used when the Cloudera Manager Server accesses the Internet, such as when downloading parcels and uploading diagnostic data. | parcel_proxy_server | false | ||
Proxy User | The basic authentication user name for the proxy. | parcel_proxy_user | false |
Other
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Allow Usage Data Collection | Allows Cloudera to collect usage data, including the use of Google Analytics. | true | allow_usage_data | true | |
Custom Banner Text | The custom banner is used to display a customer specific text in the header area. | custom_banner_html | false | ||
Custom Header Color | The custom header color is used to distinguish different instances of Cloudera Manager. | BLACK | custom_header_color | true | |
Custom Information Assurance Policy Text | An information assurance policy statement that must be agreed to in order for a user to login. | custom_ia_policy | false | ||
Enable Events Widget Auto-Search | When enabled, the Events widget at the bottom of many pages will auto-fire its default search on page load. | true | events_widget_search_on_load | true | |
Maximum Cluster Count Shown In Full | When the number of clusters exceeds this number, only the cluster summary information will be shown on the home page. | 2 | home_page_full_limit | true | |
System Identifier | An identifier for this system, to be included with diagnostic data bundles. | default | system_identifier | true |
Parcels
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Automatically Distribute Available Parcels | Whether available parcels should be automatically distributed to any cluster that already has parcels of the same product. | false | distribute_parcels_automatically | true | |
Automatically Download New Parcels | Whether new parcels discovered on the remote parcel repository should be automatically downloaded. | false | download_parcels_automatically | true | |
Cloudera Manager Manages Parcels | Whether Cloudera Manager should manage which parcels should be present on all managed hosts. | true | manages_parcels | true | |
Automatically Downloaded Products | If automatic parcel downloading is enabled, the list of products that will be downloaded. | CDH | parcel_autodownload_products | false | |
Automatically Remove Old Parcels | Whether parcels for old versions of an activated product should be removed from a cluster when they are no longer in use. | false | parcel_cleanup_automatically | true | |
Number of Old Parcel Versions to Retain | If automatic removal of old parcels is enabled, the number of old parcels to keep. Any old parcels beyond this value will any be removed. If this is set to zero, no old parcels will be retained. | 3 | parcel_cleanup_threshold | true | |
Parcel Distribution Rate Limit | Per-second rate limit for parcel distribution. The default of 50MiB/second allows for parcel distribution to saturate about half of a Gigabit link. | 50 MiB | parcel_distribute_rate_limit_kbs_per_second | true | |
Maximum Parcel Uploads | Maximum number of concurrent uploads allowed to distribute parcels to individual hosts. The maximum allowed number of concurrent uploads is 50. | 10 | parcel_max_upload | true | |
Validate Parcel Relations | Enforce that parcel dependencies are satisfied and conflicts are prevented when activating parcels. Parcel relations (Depends, Conflicts, and Replaces) can be defined the manifests of parcel repositories. Cloudera Manager can also enforce some default relations if none are defined in the manifest. | true | parcel_relation_validation | true | |
Local Parcel Repository Path | Path to the local package parcel repository from which binaries are served to the Agents. | /opt/cloudera/parcel-repo | parcel_repo_path | true | |
Create System-Wide Symlinks for Active Parcels | Whether system-wide symlinks should be created for the active parcels (for example, /usr/bin/hadoop). | true | parcel_symlinks | true | |
Parcel Update Frequency | How often to check local and remote parcel repositories for new parcels and if any old parcels should be cleaned up. | 1 hour(s) | parcel_update_freq | true | |
Create Users and Groups, and Apply File Permissions for Parcels | Whether a parcel's specified users, groups and file permissions should be applied. This may not be desired if custom users and groups are being used, or if they have to be created externally (eg: in LDAP) | true | parcel_users_groups_permissions | true | |
Remote Parcel Repository URLs | URLs of the remote parcel repositories where Cloudera Manager checks for new parcels. As part of checking for new parcels, the Cloudera Manager sends the ID of the server and the server version to the repository host. The special variable {latest_supported} is replaced with the latest version of CDH that Cloudera Manager supports when checks are made. | https://archive.cloudera.com/cdh5/parcels/latest_supported/, https://archive.cloudera.com/cdh4/parcels/latest/, https://archive.cloudera.com/impala/parcels/latest/, https://archive.cloudera.com/search/parcels/latest/ | remote_parcel_repo_urls | true | |
Retain Downloaded Parcel Files | Whether downloaded parcel files be kept by Agents after they have been unpacked. Keeping the parcel files consumes additional disk space but allows downloads to be avoided if the parcel ever needs to be unpacked again. | true | retain_parcels_in_cache | true |
Performance
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Send Agent heartbeat every | The interval between each heartbeat that is sent from Agents to the server | 15 second(s) | heartbeat_interval | true |
Ports and Addresses
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Agent Port to connect to Server | Specify the port for Agents to use to connect to the Server. Must be 1024 or higher. | 7182 | agent_port | true | |
Cloudera Manager Hostname Override | Override to use for Cloudera Manager's hostname. Normally this is determined automatically, but this can be used if InetAddress.getLocalhost() is returning the loopback address. | cm_host_name | false | ||
HTTP Port for Admin Console | Specify the HTTP port to use to access the Server via the Admin Console. Must be 1024 or higher. | 7180 | http_port | true | |
HTTPS Port for Admin Console | Specify the HTTPS port to use to access the Server via the Admin Console. Must be 1024 or higher. | 7183 | https_port | true |
Security
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Use TLS Encryption for Agents | Select this option to enable TLS encryption between the Server and Agents. | false | agent_tls | true | |
Keystore Password | Specify the password for the keystore. | keystore_password | false | ||
Path to TLS Keystore File | Specify the filesystem path to the directory on the Server host where the keystore file is located. | keystore_path | false | ||
Use TLS Authentication of Agents to Server | Select this option to enable TLS Authentication of Agents to the Server. | false | need_agent_validation | true | |
HTTP Referer Check | Whether to verify "Referer" in HTTP header for state changing requests. This protects against cross-site request forgery, but may need to be turned off if browsers or proxies in your environment do not specify the header. | true | referer_check | true | |
Allow 'Remember Me' option | Whether to allow a user to select 'Remember Me' when logging in. If this is set, the user will not need to log in again for two weeks (unless the server is restarted during that time). If the user chooses 'Remember Me', then the session timeout is ignored. | true | session_remember_me | true | |
Session Timeout | The length of time a user's session can be idle for before the user must log in again. Note that currently logged in users will continue with their old timeout values. | 30 minute(s) | session_timeout | true | |
Show Stacktraces On Error Pages | Control whether stacktraces are shown on error pages. While stacktraces help with debugging, they can sometimes expose sensitive information to a potentially malicious user. | true | show_stacktraces | true | |
Truststore Password | The password for the truststore. | truststore_password | false | ||
Path to TLS Truststore File | The filesystem path to the directory on the Server host where the truststore file is located. | truststore_path | false | ||
Use TLS Encryption for Admin Console | Enable TLS encryption (HTTPS) between the user and the Cloudera Manager Admin Console. When checked, the HTTPS port will be used. | false | web_tls | true |
Support
Display Name | Description | Related Name | Default Value | API Name | Required |
---|---|---|---|---|---|
Number of Command Results to Keep | The maximum number of command results to keep before deleting them from local storage. This property is used for the commands that generate large result files. A value of -1 indicates no limit. | 10 | cluster_stats_count | false | |
Scheduled Diagnostic Data Size (MB) | Approximate size in MB of scheduled diagnostic data bundle | 100 | cluster_stats_default_size_mb | false | |
Use HTTPS to Upload Diagnostic Data | Whether to use HTTPS to upload diagnostic data bundles instead of the now-deprecated SFTP. Uses proxy settings from the network setting. | true | cluster_stats_http | true | |
Diagnostic Data Bundle Directory | Local directory to store diagnostic data bundles. Leave blank to store bundles for 24 hours. This directory must be writable by the cloudera-scm user. | cluster_stats_path | false | ||
Scheduled Diagnostic Data Collection Frequency | Frequency of automatically collecting diagnostic data and sending to Cloudera support. | WEEKLY | cluster_stats_schedule | true | |
Scheduled Diagnostic Data Collection Time | Time of day to collect and send diagnostic data to Cloudera | cluster_stats_start | false | ||
Diagnostic Data Temp Directory | Local path to assemble diagnostic data bundles. Leave blank to assemble these bundles in your JVM temp directory. Set this value if you run out of disk space while collecting diagnostic data. | cluster_stats_tmp_path | false | ||
Send Diagnostic Data to Cloudera Automatically | Allows the Server to automatically send diagnostic data when a collection is triggered. | true | phone_home | true | |
Open latest Help files from the Cloudera website | If this option is selected, the Help link opens the latest Help files from the Cloudera web site (requires Internet access from the browser). If not selected, the locally installed Help files, which are not updated after installation, are opened (no Internet access from the browser is required). | true | using_help_from_ccp | true |