You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[KYUUBI #2156][FOLLOWUP] Fix configuration format in document
### _Why are the changes needed?_
fix#2157 cofiguration format error
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes#2165 from jiaoqingbo/2156-followup.
Closes#21569862ddb [jiaoqingbo] [KYUUBI #2156][FOLLOWUP] Fix configuration format in document
47157c5 [jiaoqingbo] Merge branch 'master' into 2156-followup
9c89c08 [jiaoqingbo] [KYUUBI #2156][FOLLOWUP]fix cofiguration format
4608432 [jiaoqingbo] Merge branch 'master' into 2156
96a22e5 [jiaoqingbo] add link to doc
dc11a21 [jiaoqingbo] [KYUUBI #2156] Change log to reflect exactly why getting token failed
Authored-by: jiaoqingbo <1178404354@qq.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
kyuubi\.authentication<br>\.sasl\.qop|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'>auth</div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>Sasl QOP enable higher levels of protection for Kyuubi communication with clients.<ul> <li>auth - authentication only (default)</li> <li>auth-int - authentication plus integrity protection</li> <li>auth-conf - authentication plus integrity and confidentiality protection. This is applicable only if Kyuubi is configured to use Kerberos authentication.</li> </ul></div>|<divstyle='width: 20pt'>1.0.0</div>
<code>kyuubi.authentication.sasl.qop</code>|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'>auth</div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>Sasl QOP enable higher levels of protection for Kyuubi communication with clients.<ul> <li>auth - authentication only (default)</li> <li>auth-int - authentication plus integrity protection</li> <li>auth-conf - authentication plus integrity and confidentiality protection. This is applicable only if Kyuubi is configured to use Kerberos authentication.</li> </ul></div>|<divstyle='width: 20pt'>1.0.0</div>
49
49
50
50
51
51
#### Using KERBEROS
@@ -64,10 +64,10 @@ Following configurations also need to be set to enable KERBEROS authentication:
64
64
65
65
Key | Default | Meaning | Since
66
66
--- | --- | --- | ---
67
-
kyuubi\.kinit<br>\.principal|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'><undefined></div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>Name of the Kerberos principal.</div>|<divstyle='width: 20pt'>1.0.0</div>
kyuubi\.kinit\.interval|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache</div>|<divstyle='width: 20pt'>1.0.0</div>
70
-
kyuubi\.kinit\.max<br>\.attempts|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'>10</div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>How many times will `kinit` process retry</div>|<divstyle='width: 20pt'>1.0.0</div>
67
+
<code>kyuubi.kinit.principal</code>|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'><undefined></div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>Name of the Kerberos principal.</div>|<divstyle='width: 20pt'>1.0.0</div>
<code>kyuubi.kinit.interval</code>|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache</div>|<divstyle='width: 20pt'>1.0.0</div>
70
+
<code>kyuubi.kinit.max.attempts</code>|<divstyle='width: 80pt;word-wrap: break-word;white-space: normal'>10</div>|<divstyle='width: 200pt;word-wrap: break-word;white-space: normal'>How many times will `kinit` process retry</div>|<divstyle='width: 20pt'>1.0.0</div>
71
71
72
72
73
73
Please refer to [Kinit Auxiliary Service](kinit.html) to get configuration steps.
kyuubi\.credentials<br>\.hadoopfs\.uris|<divstyle='width: 65pt;word-wrap: break-word;white-space: normal'></div>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>Extra Hadoop filesystem URIs for which to request delegation tokens. The filesystem that hosts fs.defaultFS does not need to be listed here.</div>|<divstyle='width: 30pt'>seq</div>|<divstyle='width: 20pt'>1.4.0</div>
kyuubi\.credentials<br>\.renewal\.interval|<divstyle='width: 65pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>How often Kyuubi renews one user's delegation tokens</div>|<divstyle='width: 30pt'>duration</div>|<divstyle='width: 20pt'>1.4.0</div>
77
-
kyuubi\.credentials<br>\.renewal\.retry\.wait|<divstyle='width: 65pt;word-wrap: break-word;white-space: normal'>PT1M</div>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>How long to wait before retrying to fetch new credentials after a failure.</div>|<divstyle='width: 30pt'>duration</div>|<divstyle='width: 20pt'>1.4.0</div>
<code>kyuubi.credentials.hadoopfs.uris</code>|<divstyle='width: 65pt;word-wrap: break-word;white-space: normal'></div>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>Extra Hadoop filesystem URIs for which to request delegation tokens. The filesystem that hosts fs.defaultFS does not need to be listed here.</div>|<divstyle='width: 30pt'>seq</div>|<divstyle='width: 20pt'>1.4.0</div>
<code>kyuubi.credentials.renewal.interval</code>|<divstyle='width: 65pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>How often Kyuubi renews one user's delegation tokens</div>|<divstyle='width: 30pt'>duration</div>|<divstyle='width: 20pt'>1.4.0</div>
77
+
<code>kyuubi.credentials.renewal.retry.wait</code>|<divstyle='width: 65pt;word-wrap: break-word;white-space: normal'>PT1M</div>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>How long to wait before retrying to fetch new credentials after a failure.</div>|<divstyle='width: 30pt'>duration</div>|<divstyle='width: 20pt'>1.4.0</div>
78
78
79
79
80
80
### Required Security Configs
@@ -83,8 +83,8 @@ The necessary configurations for hdfs and hive to obtain delegation token are as
83
83
84
84
Key | Meaning | value
85
85
--- | --- | ---
86
-
<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>hadoop.security.authentication</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>Set the authentication for the cluster</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>kerberos</div>
87
-
<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.uris</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>URI for client to contact metastore server</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>thrift://{metastoreHost}:{metastorePort}}</div>
88
-
<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.sasl.enabled</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>true</div>
89
-
<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.kerberos.principal</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>for example hive/_HOST@${realm}</div>
90
-
<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.kerberos.keytab.file</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</div>|<divstyle='width: 40pt;word-wrap: break-word;white-space: normal'>for example /etc/security/keytabs/hive.service.keytab</div>
86
+
<code>hadoop.security.authentication</code>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>Set the authentication for the cluster</div>|<divstyle='width: 120pt;word-wrap: break-word;white-space: normal'>kerberos</div>
87
+
<code>hive.metastore.uris</code>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>URI for client to contact metastore server</div>|<divstyle='width: 120pt;word-wrap: break-word;white-space: normal'>thrift://{metastoreHost}:{metastorePort}}</div>
88
+
<code>hive.metastore.sasl.enabled</code>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.</div>|<divstyle='width: 120pt;word-wrap: break-word;white-space: normal'>true</div>
89
+
<code>hive.metastore.kerberos.principal</code>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.</div>|<divstyle='width: 120pt;word-wrap: break-word;white-space: normal'>for example hive/_HOST@${realm}</div>
90
+
<code>hive.metastore.kerberos.keytab.file</code>|<divstyle='width: 170pt;word-wrap: break-word;white-space: normal'>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</div>|<divstyle='width: 120pt;word-wrap: break-word;white-space: normal'>for example /etc/security/keytabs/hive.service.keytab</div>
kyuubi\.kinit\.interval|<div style='width: 80pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<div style='width: 200pt;word-wrap: break-word;white-space: normal'>How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache</div>|<div style='width: 20pt'>1.0.0</div>
83
-
kyuubi\.kinit\.max<br>\.attempts|<div style='width: 80pt;word-wrap: break-word;white-space: normal'>10</div>|<div style='width: 200pt;word-wrap: break-word;white-space: normal'>How many times will `kinit` process retry</div>|<div style='width: 20pt'>1.0.0</div>
80
+
<code>kyuubi.kinit.principal</code>|<div style='width: 80pt;word-wrap: break-word;white-space: normal'><undefined></div>|<div style='width: 200pt;word-wrap: break-word;white-space: normal'>Name of the Kerberos principal.</div>|<div style='width: 20pt'>1.0.0</div>
<code>kyuubi.kinit.interval</code>|<div style='width: 80pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<div style='width: 200pt;word-wrap: break-word;white-space: normal'>How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache</div>|<div style='width: 20pt'>1.0.0</div>
83
+
<code>kyuubi.kinit.max.attempts</code>|<div style='width: 80pt;word-wrap: break-word;white-space: normal'>10</div>|<div style='width: 200pt;word-wrap: break-word;white-space: normal'>How many times will `kinit` process retry</div>|<div style='width: 20pt'>1.0.0</div>
84
84
85
85
When working with a Kerberos-enabled Hadoop cluster, we should ensure that `hadoop.security.authentication`
86
86
is set to `KERBEROS` in `$HADOOP_CONF_DIR/core-site.xml` or `$KYUUBI_HOME/conf/kyuubi-defaults.conf`.
0 commit comments