kms/config/kms-webapp/kms-site.xml - ranger - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
 <configuration>

   <!-- KMS Backend KeyProvider -->

   <property>
     <name>hadoop.kms.key.provider.uri</name>
     <value>dbks://http@localhost:9292/kms</value>
     <description>
       URI of the backing KeyProvider for the KMS.
     </description>
   </property>

   <property>
     <name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
     <value>none</value>
     <description>
       If using the JavaKeyStoreProvider, the password for the keystore file.
     </description>
   </property>

   <!-- KMS Cache -->

   <property>
     <name>hadoop.kms.cache.enable</name>
     <value>true</value>
     <description>
       Whether the KMS will act as a cache for the backing KeyProvider.
       When the cache is enabled, operations like getKeyVersion, getMetadata,
       and getCurrentKey will sometimes return cached data without consulting
       the backing KeyProvider. Cached values are flushed when keys are deleted
       or modified.
     </description>
   </property>

   <property>
     <name>hadoop.kms.cache.timeout.ms</name>
     <value>600000</value>
     <description>
       Expiry time for the KMS key version and key metadata cache, in
       milliseconds. This affects getKeyVersion and getMetadata.
     </description>
   </property>

   <property>
     <name>hadoop.kms.current.key.cache.timeout.ms</name>
     <value>30000</value>
     <description>
       Expiry time for the KMS current key cache, in milliseconds. This
       affects getCurrentKey operations.
     </description>
   </property>

   <!-- KMS Audit -->

   <property>
     <name>hadoop.kms.audit.aggregation.window.ms</name>
     <value>10000</value>
     <description>
       Duplicate audit log events within the aggregation window (specified in
       ms) are quashed to reduce log traffic. A single message for aggregated
       events is printed at the end of the window, along with a count of the
       number of aggregated events.
     </description>
   </property>

   <!-- KMS Security -->

   <property>
     <name>hadoop.kms.authentication.type</name>
     <value>simple</value>
     <description>
       Authentication type for the KMS. Can be either &quot;simple&quot;
       or &quot;kerberos&quot;.
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.kerberos.keytab</name>
     <value>${user.home}/kms.keytab</value>
     <description>
       Path to the keytab with credentials for the configured Kerberos principal.
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.kerberos.principal</name>
     <value>HTTP/localhost</value>
     <description>
       The Kerberos principal to use for the HTTP endpoint.
       The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.kerberos.name.rules</name>
     <value>DEFAULT</value>
     <description>
       Rules used to resolve Kerberos principal names.
     </description>
   </property>

   <!-- Authentication cookie signature source -->

   <property>
     <name>hadoop.kms.authentication.signer.secret.provider</name>
     <value>random</value>
     <description>
       Indicates how the secret to sign the authentication cookies will be
       stored. Options are 'random' (default), 'string' and 'zookeeper'.
       If using a setup with multiple KMS instances, 'zookeeper' should be used.
     </description>
   </property>

   <!-- Configuration for 'zookeeper' authentication cookie signature source -->

   <property>
     <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
     <value>/hadoop-kms/hadoop-auth-signature-secret</value>
     <description>
       The Zookeeper ZNode path where the KMS instances will store and retrieve
       the secret from.
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
     <value>#HOSTNAME#:#PORT#,...</value>
     <description>
       The Zookeeper connection string, a list of hostnames and port comma
       separated.
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
     <value>kerberos</value>
     <description>
       The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
     <value>/etc/hadoop/conf/kms.keytab</value>
     <description>
       The absolute path for the Kerberos keytab with the credentials to
       connect to Zookeeper.
     </description>
   </property>

   <property>
     <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
     <value>kms/#HOSTNAME#</value>
     <description>
       The Kerberos service principal used to connect to Zookeeper.
     </description>
   </property>

   <property>
   	<name>hadoop.kms.security.authorization.manager</name>
   	<value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>
   </property>

   <property>
   	<name>hadoop.kms.proxyuser.ranger.groups</name>
   	<value>*</value>
   </property>

   <property>
   	<name>hadoop.kms.proxyuser.ranger.hosts</name>
   	<value>*</value>
   </property>

   <property>
   	<name>hadoop.kms.proxyuser.ranger.users</name>
   	<value>*</value>
   </property>
 </configuration>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<configuration>

	<!-- KMS Backend KeyProvider -->

	<property>
	<name>hadoop.kms.key.provider.uri</name>
	<value>dbks://http@localhost:9292/kms</value>
	<description>
	URI of the backing KeyProvider for the KMS.
	</description>
	</property>

	<property>
	<name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
	<value>none</value>
	<description>
	If using the JavaKeyStoreProvider, the password for the keystore file.
	</description>
	</property>

	<!-- KMS Cache -->

	<property>
	<name>hadoop.kms.cache.enable</name>
	<value>true</value>
	<description>
	Whether the KMS will act as a cache for the backing KeyProvider.
	When the cache is enabled, operations like getKeyVersion, getMetadata,
	and getCurrentKey will sometimes return cached data without consulting
	the backing KeyProvider. Cached values are flushed when keys are deleted
	or modified.
	</description>
	</property>

	<property>
	<name>hadoop.kms.cache.timeout.ms</name>
	<value>600000</value>
	<description>
	Expiry time for the KMS key version and key metadata cache, in
	milliseconds. This affects getKeyVersion and getMetadata.
	</description>
	</property>

	<property>
	<name>hadoop.kms.current.key.cache.timeout.ms</name>
	<value>30000</value>
	<description>
	Expiry time for the KMS current key cache, in milliseconds. This
	affects getCurrentKey operations.
	</description>
	</property>

	<!-- KMS Audit -->

	<property>
	<name>hadoop.kms.audit.aggregation.window.ms</name>
	<value>10000</value>
	<description>
	Duplicate audit log events within the aggregation window (specified in
	ms) are quashed to reduce log traffic. A single message for aggregated
	events is printed at the end of the window, along with a count of the
	number of aggregated events.
	</description>
	</property>

	<!-- KMS Security -->

	<property>
	<name>hadoop.kms.authentication.type</name>
	<value>simple</value>
	<description>
	Authentication type for the KMS. Can be either "simple"
	or "kerberos".
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.kerberos.keytab</name>
	<value>${user.home}/kms.keytab</value>
	<description>
	Path to the keytab with credentials for the configured Kerberos principal.
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.kerberos.principal</name>
	<value>HTTP/localhost</value>
	<description>
	The Kerberos principal to use for the HTTP endpoint.
	The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.kerberos.name.rules</name>
	<value>DEFAULT</value>
	<description>
	Rules used to resolve Kerberos principal names.
	</description>
	</property>

	<!-- Authentication cookie signature source -->

	<property>
	<name>hadoop.kms.authentication.signer.secret.provider</name>
	<value>random</value>
	<description>
	Indicates how the secret to sign the authentication cookies will be
	stored. Options are 'random' (default), 'string' and 'zookeeper'.
	If using a setup with multiple KMS instances, 'zookeeper' should be used.
	</description>
	</property>

	<!-- Configuration for 'zookeeper' authentication cookie signature source -->

	<property>
	<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
	<value>/hadoop-kms/hadoop-auth-signature-secret</value>
	<description>
	The Zookeeper ZNode path where the KMS instances will store and retrieve
	the secret from.
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
	<value>#HOSTNAME#:#PORT#,...</value>
	<description>
	The Zookeeper connection string, a list of hostnames and port comma
	separated.
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
	<value>kerberos</value>
	<description>
	The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
	<value>/etc/hadoop/conf/kms.keytab</value>
	<description>
	The absolute path for the Kerberos keytab with the credentials to
	connect to Zookeeper.
	</description>
	</property>

	<property>
	<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
	<value>kms/#HOSTNAME#</value>
	<description>
	The Kerberos service principal used to connect to Zookeeper.
	</description>
	</property>

	<property>
	<name>hadoop.kms.security.authorization.manager</name>
	<value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>
	</property>

	<property>
	<name>hadoop.kms.proxyuser.ranger.groups</name>
	<value>*</value>
	</property>

	<property>
	<name>hadoop.kms.proxyuser.ranger.hosts</name>
	<value>*</value>
	</property>

	<property>
	<name>hadoop.kms.proxyuser.ranger.users</name>
	<value>*</value>
	</property>
	</configuration>