diff --git a/docs/security/authentication.md b/docs/security/authentication.md index 7ca3780f97f..24978048d0b 100644 --- a/docs/security/authentication.md +++ b/docs/security/authentication.md @@ -36,16 +36,16 @@ In `$KYUUBI_HOME/conf/kyuubi-defaults.conf`, specify `kyuubi.authentication` to Key | Default | Meaning | Since --- | --- | --- | --- -kyuubi\.authentication|
NONE
|
Client authentication types.
|
1.0.0
+kyuubi.authentication|
NONE
|
Client authentication types.
|
1.0.0
Key | Default | Meaning | Since --- | --- | --- | --- -kyuubi\.authentication|
NONE
|
Client authentication types.
|
1.0.0
-kyuubi\.authentication
\.ldap\.base\.dn|
<undefined>
|
LDAP base DN.
|
1.0.0
-kyuubi\.authentication
\.ldap\.domain|
<undefined>
|
LDAP base DN.
|
1.0.0
-kyuubi\.authentication
\.ldap\.url|
<undefined>
|
SPACE character separated LDAP connection URL(s).
|
1.0.0
-kyuubi\.authentication
\.sasl\.qop|
auth
|
Sasl QOP enable higher levels of protection for Kyuubi communication with clients.
|
1.0.0
+kyuubi.authentication|
NONE
|
Client authentication types.
|
1.0.0
+kyuubi.authentication.ldap.base.dn|
<undefined>
|
LDAP base DN.
|
1.0.0
+kyuubi.authentication.ldap.domain|
<undefined>
|
LDAP base DN.
|
1.0.0
+kyuubi.authentication.ldap.url|
<undefined>
|
SPACE character separated LDAP connection URL(s).
|
1.0.0
+kyuubi.authentication.sasl.qop|
auth
|
Sasl QOP enable higher levels of protection for Kyuubi communication with clients.
|
1.0.0
#### Using KERBEROS @@ -64,10 +64,10 @@ Following configurations also need to be set to enable KERBEROS authentication: Key | Default | Meaning | Since --- | --- | --- | --- -kyuubi\.kinit
\.principal|
<undefined>
|
Name of the Kerberos principal.
|
1.0.0
-kyuubi\.kinit\.keytab|
<undefined>
|
Location of Kyuubi server's keytab.
|
1.0.0
-kyuubi\.kinit\.interval|
PT1H
|
How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|
1.0.0
-kyuubi\.kinit\.max
\.attempts|
10
|
How many times will `kinit` process retry
|
1.0.0
+kyuubi.kinit.principal|
<undefined>
|
Name of the Kerberos principal.
|
1.0.0
+kyuubi.kinit.keytab|
<undefined>
|
Location of Kyuubi server's keytab.
|
1.0.0
+kyuubi.kinit.interval|
PT1H
|
How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|
1.0.0
+kyuubi.kinit.max.attempts|
10
|
How many times will `kinit` process retry
|
1.0.0
Please refer to [Kinit Auxiliary Service](kinit.html) to get configuration steps. diff --git a/docs/security/hadoop_credentials_manager.md b/docs/security/hadoop_credentials_manager.md index 6bc6be610e5..a68c75b10d3 100644 --- a/docs/security/hadoop_credentials_manager.md +++ b/docs/security/hadoop_credentials_manager.md @@ -70,11 +70,11 @@ Hadoop Credentials Manager is initialized when Kyuubi server starts. Key | Default | Meaning | Type | Since --- | --- | --- | --- | --- -kyuubi\.credentials
\.hadoopfs\.enabled|
true
|
Whether to renew Hadoop filesystem delegation tokens
|
boolean
|
1.4.0
-kyuubi\.credentials
\.hadoopfs\.uris|
|
Extra Hadoop filesystem URIs for which to request delegation tokens. The filesystem that hosts fs.defaultFS does not need to be listed here.
|
seq
|
1.4.0
-kyuubi\.credentials
\.hive\.enabled|
true
|
Whether to renew Hive metastore delegation token
|
boolean
|
1.4.0
-kyuubi\.credentials
\.renewal\.interval|
PT1H
|
How often Kyuubi renews one user's delegation tokens
|
duration
|
1.4.0
-kyuubi\.credentials
\.renewal\.retry\.wait|
PT1M
|
How long to wait before retrying to fetch new credentials after a failure.
|
duration
|
1.4.0
+kyuubi.credentials.hadoopfs.enabled|
true
|
Whether to renew Hadoop filesystem delegation tokens
|
boolean
|
1.4.0
+kyuubi.credentials.hadoopfs.uris|
|
Extra Hadoop filesystem URIs for which to request delegation tokens. The filesystem that hosts fs.defaultFS does not need to be listed here.
|
seq
|
1.4.0
+kyuubi.credentials.hive.enabled|
true
|
Whether to renew Hive metastore delegation token
|
boolean
|
1.4.0
+kyuubi.credentials.renewal.interval|
PT1H
|
How often Kyuubi renews one user's delegation tokens
|
duration
|
1.4.0
+kyuubi.credentials.renewal.retry.wait|
PT1M
|
How long to wait before retrying to fetch new credentials after a failure.
|
duration
|
1.4.0
### Required Security Configs @@ -83,8 +83,8 @@ The necessary configurations for hdfs and hive to obtain delegation token are as Key | Meaning | value --- | --- | --- -
hadoop.security.authentication
|
Set the authentication for the cluster
|
kerberos
-
hive.metastore.uris
|
URI for client to contact metastore server
|
thrift://{metastoreHost}:{metastorePort}}
-
hive.metastore.sasl.enabled
|
If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.
|
true
-
hive.metastore.kerberos.principal
|
The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
|
for example hive/_HOST@${realm}
-
hive.metastore.kerberos.keytab.file
|
The path to the Kerberos Keytab file containing the metastore thrift server's service principal.
|
for example /etc/security/keytabs/hive.service.keytab
\ No newline at end of file +hadoop.security.authentication|
Set the authentication for the cluster
|
kerberos
+hive.metastore.uris|
URI for client to contact metastore server
|
thrift://{metastoreHost}:{metastorePort}}
+hive.metastore.sasl.enabled|
If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.
|
true
+hive.metastore.kerberos.principal|
The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
|
for example hive/_HOST@${realm}
+hive.metastore.kerberos.keytab.file|
The path to the Kerberos Keytab file containing the metastore thrift server's service principal.
|
for example /etc/security/keytabs/hive.service.keytab
diff --git a/docs/security/kinit.md b/docs/security/kinit.md index 4cefef0da33..e78b77e4450 100644 --- a/docs/security/kinit.md +++ b/docs/security/kinit.md @@ -77,10 +77,10 @@ They are valid for relatively short period. So, we always need to refresh it for Key | Default | Meaning | Since --- | --- | --- | --- -kyuubi\.kinit
\.principal|
<undefined>
|
Name of the Kerberos principal.
|
1.0.0
-kyuubi\.kinit\.keytab|
<undefined>
|
Location of Kyuubi server's keytab.
|
1.0.0
-kyuubi\.kinit\.interval|
PT1H
|
How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|
1.0.0
-kyuubi\.kinit\.max
\.attempts|
10
|
How many times will `kinit` process retry
|
1.0.0
+kyuubi.kinit.principal|
<undefined>
|
Name of the Kerberos principal.
|
1.0.0
+kyuubi.kinit.keytab|
<undefined>
|
Location of Kyuubi server's keytab.
|
1.0.0
+kyuubi.kinit.interval|
PT1H
|
How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|
1.0.0
+kyuubi.kinit.max.attempts|
10
|
How many times will `kinit` process retry
|
1.0.0
When working with a Kerberos-enabled Hadoop cluster, we should ensure that `hadoop.security.authentication` is set to `KERBEROS` in `$HADOOP_CONF_DIR/core-site.xml` or `$KYUUBI_HOME/conf/kyuubi-defaults.conf`.