diff --git a/docs/security/authentication.md b/docs/security/authentication.md
index 7ca3780f97f..24978048d0b 100644
--- a/docs/security/authentication.md
+++ b/docs/security/authentication.md
@@ -36,16 +36,16 @@ In `$KYUUBI_HOME/conf/kyuubi-defaults.conf`, specify `kyuubi.authentication` to
Key | Default | Meaning | Since
--- | --- | --- | ---
-kyuubi\.authentication|
NONE
|Client authentication types.
- NOSASL: raw transport.
- NONE: no authentication check.
- KERBEROS: Kerberos/GSSAPI authentication.
- LDAP: Lightweight Directory Access Protocol authentication.
|1.0.0
+kyuubi.authentication
|NONE
|Client authentication types.
- NOSASL: raw transport.
- NONE: no authentication check.
- KERBEROS: Kerberos/GSSAPI authentication.
- LDAP: Lightweight Directory Access Protocol authentication.
|1.0.0
Key | Default | Meaning | Since
--- | --- | --- | ---
-kyuubi\.authentication|NONE
|Client authentication types.
- NOSASL: raw transport.
- NONE: no authentication check.
- KERBEROS: Kerberos/GSSAPI authentication.
- LDAP: Lightweight Directory Access Protocol authentication.
|1.0.0
-kyuubi\.authentication
\.ldap\.base\.dn|<undefined>
|LDAP base DN.
|1.0.0
-kyuubi\.authentication
\.ldap\.domain|<undefined>
|LDAP base DN.
|1.0.0
-kyuubi\.authentication
\.ldap\.url|<undefined>
|SPACE character separated LDAP connection URL(s).
|1.0.0
-kyuubi\.authentication
\.sasl\.qop|auth
|Sasl QOP enable higher levels of protection for Kyuubi communication with clients.
- auth - authentication only (default)
- auth-int - authentication plus integrity protection
- auth-conf - authentication plus integrity and confidentiality protection. This is applicable only if Kyuubi is configured to use Kerberos authentication.
|1.0.0
+kyuubi.authentication
|NONE
|Client authentication types.
- NOSASL: raw transport.
- NONE: no authentication check.
- KERBEROS: Kerberos/GSSAPI authentication.
- LDAP: Lightweight Directory Access Protocol authentication.
|1.0.0
+kyuubi.authentication.ldap.base.dn
|<undefined>
|LDAP base DN.
|1.0.0
+kyuubi.authentication.ldap.domain
|<undefined>
|LDAP base DN.
|1.0.0
+kyuubi.authentication.ldap.url
|<undefined>
|SPACE character separated LDAP connection URL(s).
|1.0.0
+kyuubi.authentication.sasl.qop
|auth
|Sasl QOP enable higher levels of protection for Kyuubi communication with clients.
- auth - authentication only (default)
- auth-int - authentication plus integrity protection
- auth-conf - authentication plus integrity and confidentiality protection. This is applicable only if Kyuubi is configured to use Kerberos authentication.
|1.0.0
#### Using KERBEROS
@@ -64,10 +64,10 @@ Following configurations also need to be set to enable KERBEROS authentication:
Key | Default | Meaning | Since
--- | --- | --- | ---
-kyuubi\.kinit
\.principal|<undefined>
|Name of the Kerberos principal.
|1.0.0
-kyuubi\.kinit\.keytab|<undefined>
|Location of Kyuubi server's keytab.
|1.0.0
-kyuubi\.kinit\.interval|PT1H
|How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|1.0.0
-kyuubi\.kinit\.max
\.attempts|10
|How many times will `kinit` process retry
|1.0.0
+kyuubi.kinit.principal
|<undefined>
|Name of the Kerberos principal.
|1.0.0
+kyuubi.kinit.keytab
|<undefined>
|Location of Kyuubi server's keytab.
|1.0.0
+kyuubi.kinit.interval
|PT1H
|How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|1.0.0
+kyuubi.kinit.max.attempts
|10
|How many times will `kinit` process retry
|1.0.0
Please refer to [Kinit Auxiliary Service](kinit.html) to get configuration steps.
diff --git a/docs/security/hadoop_credentials_manager.md b/docs/security/hadoop_credentials_manager.md
index 6bc6be610e5..a68c75b10d3 100644
--- a/docs/security/hadoop_credentials_manager.md
+++ b/docs/security/hadoop_credentials_manager.md
@@ -70,11 +70,11 @@ Hadoop Credentials Manager is initialized when Kyuubi server starts.
Key | Default | Meaning | Type | Since
--- | --- | --- | --- | ---
-kyuubi\.credentials
\.hadoopfs\.enabled|true
|Whether to renew Hadoop filesystem delegation tokens
|boolean
|1.4.0
-kyuubi\.credentials
\.hadoopfs\.uris||Extra Hadoop filesystem URIs for which to request delegation tokens. The filesystem that hosts fs.defaultFS does not need to be listed here.
|seq
|1.4.0
-kyuubi\.credentials
\.hive\.enabled|true
|Whether to renew Hive metastore delegation token
|boolean
|1.4.0
-kyuubi\.credentials
\.renewal\.interval|PT1H
|How often Kyuubi renews one user's delegation tokens
|duration
|1.4.0
-kyuubi\.credentials
\.renewal\.retry\.wait|PT1M
|How long to wait before retrying to fetch new credentials after a failure.
|duration
|1.4.0
+kyuubi.credentials.hadoopfs.enabled
|true
|Whether to renew Hadoop filesystem delegation tokens
|boolean
|1.4.0
+kyuubi.credentials.hadoopfs.uris
||Extra Hadoop filesystem URIs for which to request delegation tokens. The filesystem that hosts fs.defaultFS does not need to be listed here.
|seq
|1.4.0
+kyuubi.credentials.hive.enabled
|true
|Whether to renew Hive metastore delegation token
|boolean
|1.4.0
+kyuubi.credentials.renewal.interval
|PT1H
|How often Kyuubi renews one user's delegation tokens
|duration
|1.4.0
+kyuubi.credentials.renewal.retry.wait
|PT1M
|How long to wait before retrying to fetch new credentials after a failure.
|duration
|1.4.0
### Required Security Configs
@@ -83,8 +83,8 @@ The necessary configurations for hdfs and hive to obtain delegation token are as
Key | Meaning | value
--- | --- | ---
-hadoop.security.authentication
|Set the authentication for the cluster
|kerberos
-hive.metastore.uris
|URI for client to contact metastore server
|thrift://{metastoreHost}:{metastorePort}}
-hive.metastore.sasl.enabled
|If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.
|true
-hive.metastore.kerberos.principal
|The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
|for example hive/_HOST@${realm}
-hive.metastore.kerberos.keytab.file
|The path to the Kerberos Keytab file containing the metastore thrift server's service principal.
|for example /etc/security/keytabs/hive.service.keytab
\ No newline at end of file
+hadoop.security.authentication
|Set the authentication for the cluster
|kerberos
+hive.metastore.uris
|URI for client to contact metastore server
|thrift://{metastoreHost}:{metastorePort}}
+hive.metastore.sasl.enabled
|If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.
|true
+hive.metastore.kerberos.principal
|The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
|for example hive/_HOST@${realm}
+hive.metastore.kerberos.keytab.file
|The path to the Kerberos Keytab file containing the metastore thrift server's service principal.
|for example /etc/security/keytabs/hive.service.keytab
diff --git a/docs/security/kinit.md b/docs/security/kinit.md
index 4cefef0da33..e78b77e4450 100644
--- a/docs/security/kinit.md
+++ b/docs/security/kinit.md
@@ -77,10 +77,10 @@ They are valid for relatively short period. So, we always need to refresh it for
Key | Default | Meaning | Since
--- | --- | --- | ---
-kyuubi\.kinit
\.principal|<undefined>
|Name of the Kerberos principal.
|1.0.0
-kyuubi\.kinit\.keytab|<undefined>
|Location of Kyuubi server's keytab.
|1.0.0
-kyuubi\.kinit\.interval|PT1H
|How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|1.0.0
-kyuubi\.kinit\.max
\.attempts|10
|How many times will `kinit` process retry
|1.0.0
+kyuubi.kinit.principal
|<undefined>
|Name of the Kerberos principal.
|1.0.0
+kyuubi.kinit.keytab
|<undefined>
|Location of Kyuubi server's keytab.
|1.0.0
+kyuubi.kinit.interval
|PT1H
|How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|1.0.0
+kyuubi.kinit.max.attempts
|10
|How many times will `kinit` process retry
|1.0.0
When working with a Kerberos-enabled Hadoop cluster, we should ensure that `hadoop.security.authentication`
is set to `KERBEROS` in `$HADOOP_CONF_DIR/core-site.xml` or `$KYUUBI_HOME/conf/kyuubi-defaults.conf`.