Configuration Properties

namevaluedescription
hadoop.kms.http.port9600 The HTTP port for KMS REST API.
hadoop.kms.http.host0.0.0.0 The bind host for KMS REST API.
hadoop.kms.http.administratorsACL for the admins, this configuration is used to control who can access the default KMS servlets. The value should be a comma separated list of users and groups. The user list comes first and is separated by a space followed by the group list, e.g. "user1,user2 group1,group2". Both users and groups are optional, so "user1", " group1", "", "user1 group1", "user1,user2 group1,group2" are all valid (note the leading space in " group1"). '*' grants access to all users and groups, e.g. '*', '* ' and ' *' are all valid.
hadoop.kms.ssl.enabledfalse Whether SSL is enabled. Default is false, i.e. disabled.
hadoop.http.max.threads1000 The maxmimum number of threads.
hadoop.http.max.request.header.size65536 The maxmimum HTTP request header size.
hadoop.http.max.response.header.size65536 The maxmimum HTTP response header size.
hadoop.http.temp.dir${hadoop.tmp.dir}/kms KMS temp directory.
hadoop.http.socket.backlog.size500 KMS Server accept queue size.
hadoop.http.idle_timeout.ms60000 KMS Server connection timeout in milliseconds.
hadoop.kms.key.provider.urijceks://file@/${user.home}/kms.keystore URI of the backing KeyProvider for the KMS.
hadoop.security.keystore.java-keystore-provider.password-file If using the JavaKeyStoreProvider, the file name for the keystore password.
hadoop.kms.cache.enabletrue Whether the KMS will act as a cache for the backing KeyProvider. When the cache is enabled, operations like getKeyVersion, getMetadata, and getCurrentKey will sometimes return cached data without consulting the backing KeyProvider. Cached values are flushed when keys are deleted or modified.
hadoop.kms.cache.timeout.ms600000 Expiry time for the KMS key version and key metadata cache, in milliseconds. This affects getKeyVersion and getMetadata.
hadoop.kms.current.key.cache.timeout.ms30000 Expiry time for the KMS current key cache, in milliseconds. This affects getCurrentKey operations.
hadoop.kms.audit.aggregation.window.ms10000 Duplicate audit log events within the aggregation window (specified in ms) are quashed to reduce log traffic. A single message for aggregated events is printed at the end of the window, along with a count of the number of aggregated events.
hadoop.kms.authentication.typesimple Authentication type for the KMS. Can be either 'simple' (default) or 'kerberos'.
hadoop.kms.authentication.kerberos.keytab${user.home}/kms.keytab Path to the keytab with credentials for the configured Kerberos principal.
hadoop.kms.authentication.kerberos.principalHTTP/localhost The Kerberos principal to use for the HTTP endpoint. The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
hadoop.kms.authentication.kerberos.name.rulesDEFAULT Rules used to resolve Kerberos principal names.
hadoop.kms.authentication.signer.secret.providerrandom Indicates how the secret to sign the authentication cookies will be stored. Options are 'random' (default), 'string' and 'zookeeper'. If using a setup with multiple KMS instances, 'zookeeper' should be used.
hadoop.kms.authentication.signer.secret.provider.zookeeper.path/hadoop-kms/hadoop-auth-signature-secret The Zookeeper ZNode path where the KMS instances will store and retrieve the secret from.
hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string#HOSTNAME#:#PORT#,... The Zookeeper connection string, a list of hostnames and port comma separated.
hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.typenone The Zookeeper authentication type, 'none' (default) or 'sasl' (Kerberos).
hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab/etc/hadoop/conf/kms.keytab The absolute path for the Kerberos keytab with the credentials to connect to Zookeeper.
hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principalkms/#HOSTNAME# The Kerberos service principal used to connect to Zookeeper.
hadoop.kms.audit.loggerorg.apache.hadoop.crypto.key.kms.server.SimpleKMSAuditLogger The audit logger for KMS. It is a comma-separated list of KMSAuditLogger class names. Default is the text-format SimpleKMSAuditLogger only. If this is not configured, default will be used.
hadoop.kms.key.authorization.enabletrueBoolean property to Enable/Disable per Key authorization
hadoop.security.kms.encrypted.key.cache.size100The size of the cache. This is the maximum number of EEKs that can be cached under each key name.
hadoop.security.kms.encrypted.key.cache.low.watermark0.3A low watermark on the cache. For each key name, if after a get call, the number of cached EEKs are less than (size * low watermark), then the cache under this key name will be filled asynchronously. For each key name, only 1 thread could be running for the asynchronous filling.
hadoop.security.kms.encrypted.key.cache.num.fill.threads2The maximum number of asynchronous threads overall, across key names, allowed to fill the queue in a cache.
hadoop.security.kms.encrypted.key.cache.expiry43200000The cache expiry time, in milliseconds. Internally Guava cache is used as the cache implementation. The expiry approach is expireAfterAccess