hadoop.kms.key.provider.uri jceks://file@/${user.home}/kms.keystore URI of the backing KeyProvider for the KMS. hadoop.security.keystore.JavaKeyStoreProvider.password none If using the JavaKeyStoreProvider, the password for the keystore file. hadoop.kms.cache.enable true Whether the KMS will act as a cache for the backing KeyProvider. When the cache is enabled, operations like getKeyVersion, getMetadata, and getCurrentKey will sometimes return cached data without consulting the backing KeyProvider. Cached values are flushed when keys are deleted or modified. hadoop.kms.cache.timeout.ms 600000 Expiry time for the KMS key version and key metadata cache, in milliseconds. This affects getKeyVersion and getMetadata. hadoop.kms.current.key.cache.timeout.ms 30000 Expiry time for the KMS current key cache, in milliseconds. This affects getCurrentKey operations. hadoop.kms.audit.aggregation.window.ms 10000 Duplicate audit log events within the aggregation window (specified in ms) are quashed to reduce log traffic. A single message for aggregated events is printed at the end of the window, along with a count of the number of aggregated events. hadoop.kms.authentication.type simple Authentication type for the KMS. Can be either "simple" or "kerberos". hadoop.kms.authentication.kerberos.keytab ${user.home}/kms.keytab Path to the keytab with credentials for the configured Kerberos principal. hadoop.kms.authentication.kerberos.principal HTTP/localhost The Kerberos principal to use for the HTTP endpoint. The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification. hadoop.kms.authentication.kerberos.name.rules DEFAULT Rules used to resolve Kerberos principal names. hadoop.kms.authentication.signer.secret.provider random Indicates how the secret to sign the authentication cookies will be stored. Options are 'random' (default), 'string' and 'zookeeper'. If using a setup with multiple KMS instances, 'zookeeper' should be used. hadoop.kms.authentication.signer.secret.provider.zookeeper.path /hadoop-kms/hadoop-auth-signature-secret The Zookeeper ZNode path where the KMS instances will store and retrieve the secret from. hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string #HOSTNAME#:#PORT#,... The Zookeeper connection string, a list of hostnames and port comma separated. hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type kerberos The Zookeeper authentication type, 'none' or 'sasl' (Kerberos). hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab /etc/hadoop/conf/kms.keytab The absolute path for the Kerberos keytab with the credentials to connect to Zookeeper. hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal kms/#HOSTNAME# The Kerberos service principal used to connect to Zookeeper.