hadoop.common.configuration.version
3.0.0
version of this configuration file
hadoop.tmp.dir
/tmp/hadoop-${user.name}
A base for other temporary directories.
hadoop.http.filter.initializers
org.apache.hadoop.http.lib.StaticUserWebFilter
A comma separated list of class names. Each class in the list
must extend org.apache.hadoop.http.FilterInitializer. The corresponding
Filter will be initialized. Then, the Filter will be applied to all user
facing jsp and servlet web pages. The ordering of the list defines the
ordering of the filters.
hadoop.http.idle_timeout.ms
60000
NN/JN/DN Server connection timeout in milliseconds.
hadoop.http.metrics.enabled
true
If true, set Jetty's StatisticsHandler to HTTP server to collect
HTTP layer metrics and register them to Hadoop metrics system.
hadoop.security.authorization
false
Is service-level authorization enabled?
hadoop.security.instrumentation.requires.admin
false
Indicates if administrator ACLs are required to access
instrumentation servlets (JMX, METRICS, CONF, STACKS, PROF).
hadoop.security.authentication
simple
Possible values are simple (no authentication), and kerberos
hadoop.security.group.mapping
org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback
Class for user to group mapping (get groups for a given user) for ACL.
The default implementation,
org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback,
will determine if the Java Native Interface (JNI) is available. If JNI is
available the implementation will use the API within hadoop to resolve a
list of groups for a user. If JNI is not available then the shell
implementation, ShellBasedUnixGroupsMapping, is used. This implementation
shells out to the Linux/Unix environment with the
bash -c groups
command to resolve a list of groups for a user.
hadoop.security.dns.interface
The name of the Network Interface from which the service should determine
its host name for Kerberos login. e.g. eth2. In a multi-homed environment,
the setting can be used to affect the _HOST substitution in the service
Kerberos principal. If this configuration value is not set, the service
will use its default hostname as returned by
InetAddress.getLocalHost().getCanonicalHostName().
Most clusters will not require this setting.
hadoop.security.dns.nameserver
The host name or IP address of the name server (DNS) which a service Node
should use to determine its own host name for Kerberos Login. Requires
hadoop.security.dns.interface.
Most clusters will not require this setting.
hadoop.security.resolver.impl
org.apache.hadoop.net.DNSDomainNameResolver
The resolver implementation used to resolve FQDN for Kerberos
hadoop.security.dns.log-slow-lookups.enabled
false
Time name lookups (via SecurityUtil) and log them if they exceed the
configured threshold.
hadoop.security.dns.log-slow-lookups.threshold.ms
1000
If slow lookup logging is enabled, this threshold is used to decide if a
lookup is considered slow enough to be logged.
hadoop.security.groups.cache.secs
300
This is the config controlling the validity of the entries in the cache
containing the user->group mapping. When this duration has expired,
then the implementation of the group mapping provider is invoked to get
the groups of the user and then cached back.
hadoop.security.groups.negative-cache.secs
30
Expiration time for entries in the the negative user-to-group mapping
caching, in seconds. This is useful when invalid users are retrying
frequently. It is suggested to set a small value for this expiration, since
a transient error in group lookup could temporarily lock out a legitimate
user.
Set this to zero or negative value to disable negative user-to-group caching.
hadoop.security.groups.cache.warn.after.ms
5000
If looking up a single user to group takes longer than this amount of
milliseconds, we will log a warning message.
hadoop.security.groups.cache.background.reload
false
Whether to reload expired user->group mappings using a background thread
pool. If set to true, a pool of
hadoop.security.groups.cache.background.reload.threads is created to
update the cache in the background.
hadoop.security.groups.cache.background.reload.threads
3
Only relevant if hadoop.security.groups.cache.background.reload is true.
Controls the number of concurrent background user->group cache entry
refreshes. Pending refresh requests beyond this value are queued and
processed when a thread is free.
hadoop.security.groups.shell.command.timeout
0s
Used by the ShellBasedUnixGroupsMapping class, this property controls how
long to wait for the underlying shell command that is run to fetch groups.
Expressed in seconds (e.g. 10s, 1m, etc.), if the running command takes
longer than the value configured, the command is aborted and the groups
resolver would return a result of no groups found. A value of 0s (default)
would mean an infinite wait (i.e. wait until the command exits on its own).
hadoop.security.group.mapping.ldap.connection.timeout.ms
60000
This property is the connection timeout (in milliseconds) for LDAP
operations. If the LDAP provider doesn't establish a connection within the
specified period, it will abort the connect attempt. Non-positive value
means no LDAP connection timeout is specified in which case it waits for the
connection to establish until the underlying network times out.
hadoop.security.group.mapping.ldap.read.timeout.ms
60000
This property is the read timeout (in milliseconds) for LDAP
operations. If the LDAP provider doesn't get a LDAP response within the
specified period, it will abort the read attempt. Non-positive value
means no read timeout is specified in which case it waits for the response
infinitely.
hadoop.security.group.mapping.ldap.num.attempts
3
This property is the number of attempts to be made for LDAP operations.
If this limit is exceeded, LdapGroupsMapping will return an empty
group list.
hadoop.security.group.mapping.ldap.num.attempts.before.failover
3
This property is the number of attempts to be made for LDAP operations
using a single LDAP instance. If multiple LDAP servers are configured
and this number of failed operations is reached, we will switch to the
next LDAP server. The configuration for the overall number of attempts
will still be respected, failover will thus be performed only if this
property is less than hadoop.security.group.mapping.ldap.num.attempts.
hadoop.security.group.mapping.ldap.url
The URL of the LDAP server(s) to use for resolving user groups when using
the LdapGroupsMapping user to group mapping. Supports configuring multiple
LDAP servers via a comma-separated list.
hadoop.security.group.mapping.ldap.ssl
false
Whether or not to use SSL when connecting to the LDAP server.
hadoop.security.group.mapping.ldap.ssl.keystore
File path to the SSL keystore that contains the SSL certificate required
by the LDAP server.
hadoop.security.group.mapping.ldap.ssl.keystore.password.file
The path to a file containing the password of the LDAP SSL keystore. If
the password is not configured in credential providers and the property
hadoop.security.group.mapping.ldap.ssl.keystore.password is not set,
LDAPGroupsMapping reads password from the file.
IMPORTANT: This file should be readable only by the Unix user running
the daemons and should be a local file.
hadoop.security.group.mapping.ldap.ssl.keystore.password
The password of the LDAP SSL keystore. this property name is used as an
alias to get the password from credential providers. If the password can
not be found and hadoop.security.credential.clear-text-fallback is true
LDAPGroupsMapping uses the value of this property for password.
hadoop.security.group.mapping.ldap.conversion.rule
none
The rule is applied on the group names received from LDAP when
RuleBasedLdapGroupsMapping is configured.
Supported rules are "to_upper", "to_lower" and "none".
to_upper: This will convert all the group names to uppercase.
to_lower: This will convert all the group names to lowercase.
none: This will retain the source formatting, this is default value.
hadoop.security.credential.clear-text-fallback
true
true or false to indicate whether or not to fall back to storing credential
password as clear text. The default value is true. This property only works
when the password can't not be found from credential providers.
hadoop.security.credential.provider.path
A comma-separated list of URLs that indicates the type and
location of a list of providers that should be consulted.
hadoop.security.credstore.java-keystore-provider.password-file
The path to a file containing the custom password for all keystores
that may be configured in the provider path.
hadoop.security.group.mapping.ldap.ssl.truststore
File path to the SSL truststore that contains the root certificate used to
sign the LDAP server's certificate. Specify this if the LDAP server's
certificate is not signed by a well known certificate authority.
hadoop.security.group.mapping.ldap.ssl.truststore.password.file
The path to a file containing the password of the LDAP SSL truststore.
IMPORTANT: This file should be readable only by the Unix user running
the daemons.
hadoop.security.group.mapping.ldap.bind.users
Aliases of users to be used to bind as when connecting to the LDAP
server(s). Each alias will have to have its distinguished name and
password specified through:
hadoop.security.group.mapping.ldap.bind.user
and a password configuration such as:
hadoop.security.group.mapping.ldap.bind.password.alias
For example, if:
hadoop.security.group.mapping.ldap.bind.users=alias1,alias2
then the following configuration is valid:
hadoop.security.group.mapping.ldap.bind.users.alias1.bind.user=bindUser1
hadoop.security.group.mapping.ldap.bind.users.alias1.bind.password.alias=
bindPasswordAlias1
hadoop.security.group.mapping.ldap.bind.users.alias2.bind.user=bindUser2
hadoop.security.group.mapping.ldap.bind.users.alias2.bind.password.alias=
bindPasswordAlias2
hadoop.security.group.mapping.ldap.bind.user
The distinguished name of the user to bind as when connecting to the LDAP
server. This may be left blank if the LDAP server supports anonymous binds.
hadoop.security.group.mapping.ldap.bind.password.alias
The alias of the bind user to be used to get the password from credential
providers. If the alias is empty, property
hadoop.security.group.mapping.ldap.bind.password is used instead.
hadoop.security.group.mapping.ldap.bind.password.file
The path to a file containing the password of the bind user. If
the password is not configured in credential providers and the property
hadoop.security.group.mapping.ldap.bind.password is not set,
LDAPGroupsMapping reads password from the file.
IMPORTANT: This file should be readable only by the Unix user running
the daemons and should be a local file.
hadoop.security.group.mapping.ldap.bind.password
The password of the bind user. this property name is used as an
alias to get the password from credential providers. If the password can
not be found and hadoop.security.credential.clear-text-fallback is true
LDAPGroupsMapping uses the value of this property for password.
hadoop.security.group.mapping.ldap.base
The search base for the LDAP connection. This is a distinguished name,
and will typically be the root of the LDAP directory.
hadoop.security.group.mapping.ldap.userbase
The search base for the LDAP connection for user search query. This is a
distinguished name, and its the root of the LDAP directory for users.
If not set, hadoop.security.group.mapping.ldap.base is used.
hadoop.security.group.mapping.ldap.groupbase
The search base for the LDAP connection for group search . This is a
distinguished name, and its the root of the LDAP directory for groups.
If not set, hadoop.security.group.mapping.ldap.base is used.
hadoop.security.group.mapping.ldap.search.filter.user
(&(objectClass=user)(sAMAccountName={0}))
An additional filter to use when searching for LDAP users. The default will
usually be appropriate for Active Directory installations. If connecting to
an LDAP server with a non-AD schema, this should be replaced with
(&(objectClass=inetOrgPerson)(uid={0}). {0} is a special string used to
denote where the username fits into the filter.
If the LDAP server supports posixGroups, Hadoop can enable the feature by
setting the value of this property to "posixAccount" and the value of
the hadoop.security.group.mapping.ldap.search.filter.group property to
"posixGroup".
hadoop.security.group.mapping.ldap.search.filter.group
(objectClass=group)
An additional filter to use when searching for LDAP groups. This should be
changed when resolving groups against a non-Active Directory installation.
See the description of hadoop.security.group.mapping.ldap.search.filter.user
to enable posixGroups support.
hadoop.security.group.mapping.ldap.search.attr.memberof
The attribute of the user object that identifies its group objects. By
default, Hadoop makes two LDAP queries per user if this value is empty. If
set, Hadoop will attempt to resolve group names from this attribute,
instead of making the second LDAP query to get group objects. The value
should be 'memberOf' for an MS AD installation.
hadoop.security.group.mapping.ldap.search.attr.member
member
The attribute of the group object that identifies the users that are
members of the group. The default will usually be appropriate for
any LDAP installation.
hadoop.security.group.mapping.ldap.search.attr.group.name
cn
The attribute of the group object that identifies the group name. The
default will usually be appropriate for all LDAP systems.
hadoop.security.group.mapping.ldap.search.group.hierarchy.levels
0
The number of levels to go up the group hierarchy when determining
which groups a user is part of. 0 Will represent checking just the
group that the user belongs to. Each additional level will raise the
time it takes to execute a query by at most
hadoop.security.group.mapping.ldap.directory.search.timeout.
The default will usually be appropriate for all LDAP systems.
hadoop.security.group.mapping.ldap.posix.attr.uid.name
uidNumber
The attribute of posixAccount to use when groups for membership.
Mostly useful for schemas wherein groups have memberUids that use an
attribute other than uidNumber.
hadoop.security.group.mapping.ldap.posix.attr.gid.name
gidNumber
The attribute of posixAccount indicating the group id.
hadoop.security.group.mapping.ldap.directory.search.timeout
10000
The attribute applied to the LDAP SearchControl properties to set a
maximum time limit when searching and awaiting a result.
Set to 0 if infinite wait period is desired.
Default is 10 seconds. Units in milliseconds.
hadoop.security.group.mapping.ldap.group.search.filter.pattern
Comma separated values that needs to be substituted in the group search
filter during group lookup. The values are substituted in the order they
appear in the list, the first value will replace {0} the second {1} and
so on.
hadoop.security.group.mapping.providers
Comma separated of names of other providers to provide user to group
mapping. Used by CompositeGroupsMapping.
hadoop.security.group.mapping.providers.combined
true
true or false to indicate whether groups from the providers are combined or
not. The default value is true. If true, then all the providers will be
tried to get groups and all the groups are combined to return as the final
results. Otherwise, providers are tried one by one in the configured list
order, and if any groups are retrieved from any provider, then the groups
will be returned without trying the left ones.
hadoop.security.service.user.name.key
For those cases where the same RPC protocol is implemented by multiple
servers, this configuration is required for specifying the principal
name to use for the service when the client wishes to make an RPC call.
fs.azure.user.agent.prefix
unknown
WASB passes User-Agent header to the Azure back-end. The default value
contains WASB version, Java Runtime version, Azure Client library version,
and the value of the configuration option fs.azure.user.agent.prefix.
hadoop.security.uid.cache.secs
14400
This is the config controlling the validity of the entries in the cache
containing the userId to userName and groupId to groupName used by
NativeIO getFstat().
hadoop.service.shutdown.timeout
30s
Timeout to wait for each shutdown operation to complete.
If a hook takes longer than this time to complete, it will be interrupted,
so the service will shutdown. This allows the service shutdown
to recover from a blocked operation.
Some shutdown hooks may need more time than this, for example when
a large amount of data needs to be uploaded to an object store.
In this situation: increase the timeout.
The minimum duration of the timeout is 1 second, "1s".
hadoop.rpc.protection
authentication
A comma-separated list of protection values for secured sasl
connections. Possible values are authentication, integrity and privacy.
authentication means authentication only and no integrity or privacy;
integrity implies authentication and integrity are enabled; and privacy
implies all of authentication, integrity and privacy are enabled.
hadoop.security.saslproperties.resolver.class can be used to override
the hadoop.rpc.protection for a connection at the server side.
hadoop.security.saslproperties.resolver.class
SaslPropertiesResolver used to resolve the QOP used for a
connection. If not specified, the full set of values specified in
hadoop.rpc.protection is used while determining the QOP used for the
connection. If a class is specified, then the QOP values returned by
the class will be used while determining the QOP used for the connection.
hadoop.security.sensitive-config-keys
secret$
password$
ssl.keystore.pass$
fs.s3a.server-side-encryption.key
fs.s3a.*.server-side-encryption.key
fs.s3a.encryption.algorithm
fs.s3a.encryption.key
fs.s3a.secret.key
fs.s3a.*.secret.key
fs.s3a.session.key
fs.s3a.*.session.key
fs.s3a.session.token
fs.s3a.*.session.token
fs.azure.account.key.*
fs.azure.oauth2.*
fs.adl.oauth2.*
fs.gs.encryption.*
fs.gs.proxy.*
fs.gs.auth.*
credential$
oauth.*secret
oauth.*password
oauth.*token
hadoop.security.sensitive-config-keys
A comma-separated or multi-line list of regular expressions to
match configuration keys that should be redacted where appropriate, for
example, when logging modified properties during a reconfiguration,
private credentials should not be logged.
hadoop.security.token.service.use_ip
true
Controls whether tokens always use IP addresses.
DNS changes will not be detected if this option is enabled.
Existing client connections that break will always reconnect
to the IP of the original host. New clients will connect
to the host's new IP but fail to locate a token.
Disabling this option will allow existing and new clients
to detect an IP change and continue to locate the new host's token.
In secure multi-homed environments, this parameter will need to
be set to false on both cluster servers and clients (see HADOOP-7733).
If it is not set correctly, the symptom will be inability to
submit an application to YARN from an external client
(with error "client host not a member of the Hadoop cluster"),
or even from an in-cluster client if server failover occurs.
hadoop.workaround.non.threadsafe.getpwuid
true
Some operating systems or authentication modules are known to
have broken implementations of getpwuid_r and getpwgid_r, such that these
calls are not thread-safe. Symptoms of this problem include JVM crashes
with a stack trace inside these functions. If your system exhibits this
issue, enable this configuration parameter to include a lock around the
calls as a workaround.
An incomplete list of some systems known to have this issue is available
at http://wiki.apache.org/hadoop/KnownBrokenPwuidImplementations
hadoop.kerberos.kinit.command
kinit
Used to periodically renew Kerberos credentials when provided
to Hadoop. The default setting assumes that kinit is in the PATH of users
running the Hadoop client. Change this to the absolute path to kinit if this
is not the case.
hadoop.kerberos.min.seconds.before.relogin
60
The minimum time between relogin attempts for Kerberos, in
seconds.
hadoop.kerberos.keytab.login.autorenewal.enabled
false
Used to enable automatic renewal of keytab based kerberos login.
By default the automatic renewal is disabled for keytab based kerberos login.
hadoop.security.auth_to_local
Maps kerberos principals to local user names
hadoop.security.auth_to_local.mechanism
hadoop
The mechanism by which auth_to_local rules are evaluated.
If set to 'hadoop' it will not allow resulting local user names to have
either '@' or '/'. If set to 'MIT' it will follow MIT evaluation rules
and the restrictions of 'hadoop' do not apply.
hadoop.token.files
List of token cache files that have delegation tokens for hadoop service
io.file.buffer.size
4096
The size of buffer for use in sequence files.
The size of this buffer should probably be a multiple of hardware
page size (4096 on Intel x86), and it determines how much data is
buffered during read and write operations. Must be greater than zero.
io.bytes.per.checksum
512
The number of bytes per checksum. Must not be larger than
io.file.buffer.size.
io.skip.checksum.errors
false
If true, when a checksum error is encountered while
reading a sequence file, entries are skipped, instead of throwing an
exception.
io.compression.codecs
A comma-separated list of the compression codec classes that can
be used for compression/decompression. In addition to any classes specified
with this property (which take precedence), codec classes on the classpath
are discovered using a Java ServiceLoader.
io.compression.codec.bzip2.library
system-native
The native-code library to be used for compression and
decompression by the bzip2 codec. This library could be specified
either by by name or the full pathname. In the former case, the
library is located by the dynamic linker, usually searching the
directories specified in the environment variable LD_LIBRARY_PATH.
The value of "system-native" indicates that the default system
library should be used. To indicate that the algorithm should
operate entirely in Java, specify "java-builtin".
io.serializations
org.apache.hadoop.io.serializer.WritableSerialization, org.apache.hadoop.io.serializer.avro.AvroSpecificSerialization, org.apache.hadoop.io.serializer.avro.AvroReflectSerialization
A list of serialization classes that can be used for
obtaining serializers and deserializers.
io.seqfile.local.dir
${hadoop.tmp.dir}/io/local
The local directory where sequence file stores intermediate
data files during merge. May be a comma-separated list of
directories on different devices in order to spread disk i/o.
Directories that do not exist are ignored.
io.map.index.skip
0
Number of index entries to skip between each entry.
Zero by default. Setting this to values larger than zero can
facilitate opening large MapFiles using less memory.
io.map.index.interval
128
MapFile consist of two files - data file (tuples) and index file
(keys). For every io.map.index.interval records written in the
data file, an entry (record-key, data-file-position) is written
in the index file. This is to allow for doing binary search later
within the index file to look up records by their keys and get their
closest positions in the data file.
io.erasurecode.codec.rs.rawcoders
rs_native,rs_java
Comma separated raw coder implementations for the rs codec. The earlier
factory is prior to followings in case of failure of creating raw coders.
io.erasurecode.codec.rs-legacy.rawcoders
rs-legacy_java
Comma separated raw coder implementations for the rs-legacy codec. The earlier
factory is prior to followings in case of failure of creating raw coders.
io.erasurecode.codec.xor.rawcoders
xor_native,xor_java
Comma separated raw coder implementations for the xor codec. The earlier
factory is prior to followings in case of failure of creating raw coders.
io.erasurecode.codec.native.enabled
true
Used to decide whether to enable native codec. If set to false, native codec
would not be created and ISA-L support would be disabled. Recommend to set to
false when your CPU does not support ISA-L.
fs.defaultFS
file:///
The name of the default file system. A URI whose
scheme and authority determine the FileSystem implementation. The
uri's scheme determines the config property (fs.SCHEME.impl) naming
the FileSystem implementation class. The uri's authority is used to
determine the host, port, etc. for a filesystem.
fs.default.name
file:///
Deprecated. Use (fs.defaultFS) property
instead
fs.trash.interval
0
Number of minutes after which the checkpoint
gets deleted. If zero, the trash feature is disabled.
This option may be configured both on the server and the
client. If trash is disabled server side then the client
side configuration is checked. If trash is enabled on the
server side then the value configured on the server is
used and the client configuration value is ignored.
fs.trash.checkpoint.interval
0
Number of minutes between trash checkpoints.
Should be smaller or equal to fs.trash.interval. If zero,
the value is set to the value of fs.trash.interval.
Every time the checkpointer runs it creates a new checkpoint
out of current and removes checkpoints created more than
fs.trash.interval minutes ago.
fs.protected.directories
A comma-separated list of directories which cannot
be deleted or renamed even by the superuser unless they are empty. This
setting can be used to guard important system directories
against accidental deletion due to administrator error.
fs.AbstractFileSystem.file.impl
org.apache.hadoop.fs.local.LocalFs
The AbstractFileSystem for file: uris.
fs.AbstractFileSystem.har.impl
org.apache.hadoop.fs.HarFs
The AbstractFileSystem for har: uris.
fs.AbstractFileSystem.hdfs.impl
org.apache.hadoop.fs.Hdfs
The FileSystem for hdfs: uris.
fs.AbstractFileSystem.viewfs.impl
org.apache.hadoop.fs.viewfs.ViewFs
The AbstractFileSystem for view file system for viewfs: uris
(ie client side mount table:).
fs.viewfs.rename.strategy
SAME_MOUNTPOINT
Allowed rename strategy to rename between multiple mountpoints.
Allowed values are SAME_MOUNTPOINT,SAME_TARGET_URI_ACROSS_MOUNTPOINT and
SAME_FILESYSTEM_ACROSS_MOUNTPOINT.
fs.viewfs.overload.scheme.target.hdfs.impl
org.apache.hadoop.hdfs.DistributedFileSystem
The DistributedFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are hdfs.
fs.viewfs.overload.scheme.target.s3a.impl
org.apache.hadoop.fs.s3a.S3AFileSystem
The S3AFileSystem for view file system overload scheme when
child file system and ViewFSOverloadScheme's schemes are s3a.
fs.viewfs.overload.scheme.target.ofs.impl
org.apache.hadoop.fs.ozone.RootedOzoneFileSystem
The RootedOzoneFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are ofs.
fs.viewfs.overload.scheme.target.o3fs.impl
org.apache.hadoop.fs.ozone.OzoneFileSystem
The OzoneFileSystem for view file system overload scheme when
child file system and ViewFSOverloadScheme's schemes are o3fs.
fs.viewfs.overload.scheme.target.ftp.impl
org.apache.hadoop.fs.ftp.FTPFileSystem
The FTPFileSystem for view file system overload scheme when
child file system and ViewFSOverloadScheme's schemes are ftp.
fs.viewfs.overload.scheme.target.webhdfs.impl
org.apache.hadoop.hdfs.web.WebHdfsFileSystem
The WebHdfsFileSystem for view file system overload scheme when
child file system and ViewFSOverloadScheme's schemes are webhdfs.
fs.viewfs.overload.scheme.target.swebhdfs.impl
org.apache.hadoop.hdfs.web.SWebHdfsFileSystem
The SWebHdfsFileSystem for view file system overload scheme when
child file system and ViewFSOverloadScheme's schemes are swebhdfs.
fs.viewfs.overload.scheme.target.file.impl
org.apache.hadoop.fs.LocalFileSystem
The LocalFileSystem for view file system overload scheme when
child file system and ViewFSOverloadScheme's schemes are file.
fs.viewfs.overload.scheme.target.abfs.impl
org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem
The AzureBlobFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are abfs.
fs.viewfs.overload.scheme.target.abfss.impl
org.apache.hadoop.fs.azurebfs.SecureAzureBlobFileSystem
The SecureAzureBlobFileSystem for view file system overload
scheme when child file system and ViewFSOverloadScheme's schemes are abfss.
fs.viewfs.overload.scheme.target.wasb.impl
org.apache.hadoop.fs.azure.NativeAzureFileSystem
The NativeAzureFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are wasb.
fs.viewfs.overload.scheme.target.oss.impl
org.apache.hadoop.fs.aliyun.oss.AliyunOSSFileSystem
The AliyunOSSFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are oss.
fs.viewfs.overload.scheme.target.http.impl
org.apache.hadoop.fs.http.HttpFileSystem
The HttpFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are http.
fs.viewfs.overload.scheme.target.gs.impl
com.google.cloud.hadoop.fs.gcs.GoogleHadoopFS
The GoogleHadoopFS/Google Cloud Storage file system for view
file system overload scheme when child file system and ViewFSOverloadScheme's
schemes are gs.
fs.viewfs.overload.scheme.target.https.impl
org.apache.hadoop.fs.http.HttpsFileSystem
The HttpsFileSystem for view file system overload scheme
when child file system and ViewFSOverloadScheme's schemes are https.
fs.AbstractFileSystem.ftp.impl
org.apache.hadoop.fs.ftp.FtpFs
The FileSystem for Ftp: uris.
fs.ftp.impl
org.apache.hadoop.fs.ftp.FTPFileSystem
The implementation class of the FTP FileSystem
fs.AbstractFileSystem.webhdfs.impl
org.apache.hadoop.fs.WebHdfs
The FileSystem for webhdfs: uris.
fs.AbstractFileSystem.swebhdfs.impl
org.apache.hadoop.fs.SWebHdfs
The FileSystem for swebhdfs: uris.
fs.ftp.host
0.0.0.0
FTP filesystem connects to this server
fs.ftp.host.port
21
FTP filesystem connects to fs.ftp.host on this port
fs.ftp.data.connection.mode
ACTIVE_LOCAL_DATA_CONNECTION_MODE
Set the FTPClient's data connection mode based on configuration.
Valid values are ACTIVE_LOCAL_DATA_CONNECTION_MODE,
PASSIVE_LOCAL_DATA_CONNECTION_MODE and PASSIVE_REMOTE_DATA_CONNECTION_MODE.
fs.ftp.transfer.mode
BLOCK_TRANSFER_MODE
Set FTP's transfer mode based on configuration. Valid values are
STREAM_TRANSFER_MODE, BLOCK_TRANSFER_MODE and COMPRESSED_TRANSFER_MODE.
fs.ftp.timeout
0
FTP filesystem's timeout in seconds.
fs.df.interval
60000
Disk usage statistics refresh interval in msec.
fs.du.interval
600000
File space usage statistics refresh interval in msec.
fs.automatic.close
true
By default, FileSystem instances are automatically closed at program
exit using a JVM shutdown hook. Setting this property to false disables this
behavior. This is an advanced option that should only be used by server applications
requiring a more carefully orchestrated shutdown sequence.
fs.s3a.access.key
AWS access key ID used by S3A file system. Omit for IAM role-based or provider-based authentication.
fs.s3a.secret.key
AWS secret key used by S3A file system. Omit for IAM role-based or provider-based authentication.
fs.s3a.aws.credentials.provider
org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider,
org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider,
com.amazonaws.auth.EnvironmentVariableCredentialsProvider,
org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider
Comma-separated class names of credential provider classes which implement
com.amazonaws.auth.AWSCredentialsProvider.
When S3A delegation tokens are not enabled, this list will be used
to directly authenticate with S3 and other AWS services.
When S3A Delegation tokens are enabled, depending upon the delegation
token binding it may be used
to communicate wih the STS endpoint to request session/role
credentials.
These are loaded and queried in sequence for a valid set of credentials.
Each listed class must implement one of the following means of
construction, which are attempted in order:
* a public constructor accepting java.net.URI and
org.apache.hadoop.conf.Configuration,
* a public constructor accepting org.apache.hadoop.conf.Configuration,
* a public static method named getInstance that accepts no
arguments and returns an instance of
com.amazonaws.auth.AWSCredentialsProvider, or
* a public default constructor.
Specifying org.apache.hadoop.fs.s3a.AnonymousAWSCredentialsProvider allows
anonymous access to a publicly accessible S3 bucket without any credentials.
Please note that allowing anonymous access to an S3 bucket compromises
security and therefore is unsuitable for most use cases. It can be useful
for accessing public data sets without requiring AWS credentials.
If unspecified, then the default list of credential provider classes,
queried in sequence, is:
* org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider: looks
for session login secrets in the Hadoop configuration.
* org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider:
Uses the values of fs.s3a.access.key and fs.s3a.secret.key.
* com.amazonaws.auth.EnvironmentVariableCredentialsProvider: supports
configuration of AWS access key ID and secret access key in
environment variables named AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,
and AWS_SESSION_TOKEN as documented in the AWS SDK.
* org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider: picks up
IAM credentials of any EC2 VM or AWS container in which the process is running.
fs.s3a.session.token
Session token, when using org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider
as one of the providers.
fs.s3a.security.credential.provider.path
Optional comma separated list of credential providers, a list
which is prepended to that set in hadoop.security.credential.provider.path
fs.s3a.assumed.role.arn
AWS ARN for the role to be assumed.
Required if the fs.s3a.aws.credentials.provider contains
org.apache.hadoop.fs.s3a.AssumedRoleCredentialProvider
fs.s3a.assumed.role.session.name
Session name for the assumed role, must be valid characters according to
the AWS APIs.
Only used if AssumedRoleCredentialProvider is the AWS credential provider.
If not set, one is generated from the current Hadoop/Kerberos username.
fs.s3a.assumed.role.policy
JSON policy to apply to the role.
Only used if AssumedRoleCredentialProvider is the AWS credential provider.
fs.s3a.assumed.role.session.duration
30m
Duration of assumed roles before a refresh is attempted.
Used when session tokens are requested.
Range: 15m to 1h
fs.s3a.assumed.role.sts.endpoint
AWS Security Token Service Endpoint.
If unset, uses the default endpoint.
Only used if AssumedRoleCredentialProvider is the AWS credential provider.
Used by the AssumedRoleCredentialProvider and in Session and Role delegation
tokens.
fs.s3a.assumed.role.sts.endpoint.region
AWS Security Token Service Endpoint's region;
Needed if fs.s3a.assumed.role.sts.endpoint points to an endpoint
other than the default one and the v4 signature is used.
Used by the AssumedRoleCredentialProvider and in Session and Role delegation
tokens.
fs.s3a.assumed.role.credentials.provider
org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider
List of credential providers to authenticate with the STS endpoint and
retrieve short-lived role credentials.
Only used if AssumedRoleCredentialProvider is the AWS credential provider.
If unset, uses "org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider".
fs.s3a.delegation.token.binding
The name of a class to provide delegation tokens support in S3A.
If unset: delegation token support is disabled.
Note: for job submission to actually collect these tokens,
Kerberos must be enabled.
Options are:
org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding
org.apache.hadoop.fs.s3a.auth.delegation.FullCredentialsTokenBinding
and org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding
fs.s3a.connection.maximum
96
Controls the maximum number of simultaneous connections to S3.
This must be bigger than the value of fs.s3a.threads.max so as to stop
threads being blocked waiting for new HTTPS connections.
Why not equal? The AWS SDK transfer manager also uses these connections.
fs.s3a.connection.ssl.enabled
true
Enables or disables SSL connections to AWS services.
Also sets the default port to use for the s3a proxy settings,
when not explicitly set in fs.s3a.proxy.port.
fs.s3a.endpoint
AWS S3 endpoint to connect to. An up-to-date list is
provided in the AWS Documentation: regions and endpoints. Without this
property, the standard region (s3.amazonaws.com) is assumed.
fs.s3a.path.style.access
false
Enable S3 path style access ie disabling the default virtual hosting behaviour.
Useful for S3A-compliant storage providers as it removes the need to set up DNS for virtual hosting.
fs.s3a.proxy.host
Hostname of the (optional) proxy server for S3 connections.
fs.s3a.proxy.port
Proxy server port. If this property is not set
but fs.s3a.proxy.host is, port 80 or 443 is assumed (consistent with
the value of fs.s3a.connection.ssl.enabled).
fs.s3a.proxy.username
Username for authenticating with proxy server.
fs.s3a.proxy.password
Password for authenticating with proxy server.
fs.s3a.proxy.domain
Domain for authenticating with proxy server.
fs.s3a.proxy.workstation
Workstation for authenticating with proxy server.
fs.s3a.attempts.maximum
20
How many times we should retry commands on transient errors.
fs.s3a.connection.establish.timeout
5000
Socket connection setup timeout in milliseconds.
fs.s3a.connection.timeout
200000
Socket connection timeout in milliseconds.
fs.s3a.socket.send.buffer
8192
Socket send buffer hint to amazon connector. Represented in bytes.
fs.s3a.socket.recv.buffer
8192
Socket receive buffer hint to amazon connector. Represented in bytes.
fs.s3a.paging.maximum
5000
How many keys to request from S3 when doing
directory listings at a time.
fs.s3a.threads.max
64
The total number of threads available in the filesystem for data
uploads *or any other queued filesystem operation*.
fs.s3a.threads.keepalivetime
60
Number of seconds a thread can be idle before being
terminated.
fs.s3a.max.total.tasks
32
The number of operations which can be queued for execution.
This is in addition to the number of active threads in fs.s3a.threads.max.
fs.s3a.executor.capacity
16
The maximum number of submitted tasks which is a single
operation (e.g. rename(), delete()) may submit simultaneously for
execution -excluding the IO-heavy block uploads, whose capacity
is set in "fs.s3a.fast.upload.active.blocks"
All tasks are submitted to the shared thread pool whose size is
set in "fs.s3a.threads.max"; the value of capacity should be less than that
of the thread pool itself, as the goal is to stop a single operation
from overloading that thread pool.
fs.s3a.multipart.size
64M
How big (in bytes) to split upload or copy operations up into.
A suffix from the set {K,M,G,T,P} may be used to scale the numeric value.
fs.s3a.multipart.threshold
128M
How big (in bytes) to split upload or copy operations up into.
This also controls the partition size in renamed files, as rename() involves
copying the source file(s).
A suffix from the set {K,M,G,T,P} may be used to scale the numeric value.
fs.s3a.multiobjectdelete.enable
true
When enabled, multiple single-object delete requests are replaced by
a single 'delete multiple objects'-request, reducing the number of requests.
Beware: legacy S3-compatible object stores might not support this request.
fs.s3a.acl.default
Set a canned ACL for newly created and copied objects. Value may be Private,
PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead,
or BucketOwnerFullControl.
If set, caller IAM role must have "s3:PutObjectAcl" permission on the bucket.
fs.s3a.multipart.purge
false
True if you want to purge existing multipart uploads that may not have been
completed/aborted correctly. The corresponding purge age is defined in
fs.s3a.multipart.purge.age.
If set, when the filesystem is instantiated then all outstanding uploads
older than the purge age will be terminated -across the entire bucket.
This will impact multipart uploads by other applications and users. so should
be used sparingly, with an age value chosen to stop failed uploads, without
breaking ongoing operations.
fs.s3a.multipart.purge.age
86400
Minimum age in seconds of multipart uploads to purge
on startup if "fs.s3a.multipart.purge" is true
fs.s3a.encryption.algorithm
Specify a server-side encryption or client-side
encryption algorithm for s3a: file system. Unset by default. It supports the
following values: 'AES256' (for SSE-S3), 'SSE-KMS', 'SSE-C', and 'CSE-KMS'
fs.s3a.encryption.key
Specific encryption key to use if fs.s3a.encryption.algorithm
has been set to 'SSE-KMS', 'SSE-C' or 'CSE-KMS'. In the case of SSE-C
, the value of this property should be the Base64 encoded key. If you are
using SSE-KMS and leave this property empty, you'll be using your default's
S3 KMS key, otherwise you should set this property to the specific KMS key
id. In case of 'CSE-KMS' this value needs to be the AWS-KMS Key ID
generated from AWS console.
fs.s3a.signing-algorithm
Override the default signing algorithm so legacy
implementations can still be used
fs.s3a.accesspoint.required
false
Require that all S3 access is made through Access Points and not through
buckets directly. If enabled, use per-bucket overrides to allow bucket access to a specific set
of buckets.
fs.s3a.block.size
32M
Block size to use when reading files using s3a: file system.
A suffix from the set {K,M,G,T,P} may be used to scale the numeric value.
fs.s3a.buffer.dir
${env.LOCAL_DIRS:-${hadoop.tmp.dir}}/s3a
Comma separated list of directories that will be used to buffer file
uploads to.
Yarn container path will be used as default value on yarn applications,
otherwise fall back to hadoop.tmp.dir
fs.s3a.fast.upload.buffer
disk
The buffering mechanism to for data being written.
Values: disk, array, bytebuffer.
"disk" will use the directories listed in fs.s3a.buffer.dir as
the location(s) to save data prior to being uploaded.
"array" uses arrays in the JVM heap
"bytebuffer" uses off-heap memory within the JVM.
Both "array" and "bytebuffer" will consume memory in a single stream up to the number
of blocks set by:
fs.s3a.multipart.size * fs.s3a.fast.upload.active.blocks.
If using either of these mechanisms, keep this value low
The total number of threads performing work across all threads is set by
fs.s3a.threads.max, with fs.s3a.max.total.tasks values setting the number of queued
work items.
fs.s3a.fast.upload.active.blocks
4
Maximum Number of blocks a single output stream can have
active (uploading, or queued to the central FileSystem
instance's pool of queued operations.
This stops a single stream overloading the shared thread pool.
fs.s3a.readahead.range
64K
Bytes to read ahead during a seek() before closing and
re-opening the S3 HTTP connection. This option will be overridden if
any call to setReadahead() is made to an open stream.
A suffix from the set {K,M,G,T,P} may be used to scale the numeric value.
fs.s3a.user.agent.prefix
Sets a custom value that will be prepended to the User-Agent header sent in
HTTP requests to the S3 back-end by S3AFileSystem. The User-Agent header
always includes the Hadoop version number followed by a string generated by
the AWS SDK. An example is "User-Agent: Hadoop 2.8.0, aws-sdk-java/1.10.6".
If this optional property is set, then its value is prepended to create a
customized User-Agent. For example, if this configuration property was set
to "MyApp", then an example of the resulting User-Agent would be
"User-Agent: MyApp, Hadoop 2.8.0, aws-sdk-java/1.10.6".
fs.s3a.impl
org.apache.hadoop.fs.s3a.S3AFileSystem
The implementation class of the S3A Filesystem
fs.s3a.retry.limit
7
Number of times to retry any repeatable S3 client request on failure,
excluding throttling requests.
fs.s3a.retry.interval
500ms
Initial retry interval when retrying operations for any reason other
than S3 throttle errors.
fs.s3a.retry.throttle.limit
20
Number of times to retry any throttled request.
fs.s3a.retry.throttle.interval
100ms
Initial between retry attempts on throttled requests, +/- 50%. chosen at random.
i.e. for an intial value of 3000ms, the initial delay would be in the range 1500ms to 4500ms.
Backoffs are exponential; again randomness is used to avoid the thundering heard problem.
500ms is the default value used by the AWS S3 Retry policy.
fs.s3a.committer.name
file
Committer to create for output to S3A, one of:
"file", "directory", "partitioned", "magic".
fs.s3a.committer.magic.enabled
true
Enable support in the S3A filesystem for the "Magic" committer.
fs.s3a.committer.threads
8
Number of threads in committers for parallel operations on files
(upload, commit, abort, delete...)
fs.s3a.committer.staging.tmp.path
tmp/staging
Path in the cluster filesystem for temporary data.
This is for HDFS, not the local filesystem.
It is only for the summary data of each file, not the actual
data being committed.
Using an unqualified path guarantees that the full path will be
generated relative to the home directory of the user creating the job,
hence private (assuming home directory permissions are secure).
fs.s3a.committer.staging.unique-filenames
true
Option for final files to have a unique name through job attempt info,
or the value of fs.s3a.committer.staging.uuid
When writing data with the "append" conflict option, this guarantees
that new data will not overwrite any existing data.
fs.s3a.committer.staging.conflict-mode
append
Staging committer conflict resolution policy.
Supported: "fail", "append", "replace".
fs.s3a.committer.abort.pending.uploads
true
Should the committers abort all pending uploads to the destination
directory?
Set to false if more than one job is writing to the same directory tree.
fs.s3a.select.enabled
true
Is S3 Select enabled?
fs.s3a.select.input.csv.comment.marker
#
In S3 Select queries: the marker for comment lines in CSV files
fs.s3a.select.input.csv.record.delimiter
\n
In S3 Select queries over CSV files: the record delimiter.
\t is remapped to the TAB character, \r to CR \n to newline. \\ to \
and \" to "
fs.s3a.select.input.csv.field.delimiter
,
In S3 Select queries over CSV files: the field delimiter.
\t is remapped to the TAB character, \r to CR \n to newline. \\ to \
and \" to "
fs.s3a.select.input.csv.quote.character
"
In S3 Select queries over CSV files: quote character.
\t is remapped to the TAB character, \r to CR \n to newline. \\ to \
and \" to "
fs.s3a.select.input.csv.quote.escape.character
\\
In S3 Select queries over CSV files: quote escape character.
\t is remapped to the TAB character, \r to CR \n to newline. \\ to \
and \" to "
fs.s3a.select.input.csv.header
none
In S3 Select queries over CSV files: what is the role of the header? One of "none", "ignore" and "use"
fs.s3a.select.input.compression
none
In S3 Select queries, the source compression
algorithm. One of: "none" and "gzip"
fs.s3a.select.output.csv.quote.fields
always
In S3 Select queries: should fields in generated CSV Files be quoted?
One of: "always", "asneeded".
fs.s3a.select.output.csv.quote.character
"
In S3 Select queries: the quote character for generated CSV Files.
fs.s3a.select.output.csv.quote.escape.character
\\
In S3 Select queries: the quote escape character for generated CSV Files.
fs.s3a.select.output.csv.record.delimiter
\n
In S3 Select queries: the record delimiter for generated CSV Files.
fs.s3a.select.output.csv.field.delimiter
,
In S3 Select queries: the field delimiter for generated CSV Files.
fs.s3a.select.errors.include.sql
false
Include the SQL statement in errors: this is useful for development but
may leak security and Personally Identifying Information in production,
so must be disabled there.
fs.AbstractFileSystem.s3a.impl
org.apache.hadoop.fs.s3a.S3A
The implementation class of the S3A AbstractFileSystem.
fs.s3a.list.version
2
Select which version of the S3 SDK's List Objects API to use. Currently
support 2 (default) and 1 (older API).
fs.s3a.connection.request.timeout
0
Time out on HTTP requests to the AWS service; 0 means no timeout.
Measured in seconds; the usual time suffixes are all supported
Important: this is the maximum duration of any AWS service call,
including upload and copy operations. If non-zero, it must be larger
than the time to upload multi-megabyte blocks to S3 from the client,
and to rename many-GB files. Use with care.
Values that are larger than Integer.MAX_VALUE milliseconds are
converged to Integer.MAX_VALUE milliseconds
fs.s3a.etag.checksum.enabled
false
Should calls to getFileChecksum() return the etag value of the remote
object.
WARNING: if enabled, distcp operations between HDFS and S3 will fail unless
-skipcrccheck is set.
fs.s3a.change.detection.source
etag
Select which S3 object attribute to use for change detection.
Currently support 'etag' for S3 object eTags and 'versionid' for
S3 object version IDs. Use of version IDs requires object versioning to be
enabled for each S3 bucket utilized. Object versioning is disabled on
buckets by default. When version ID is used, the buckets utilized should
have versioning enabled before any data is written.
fs.s3a.change.detection.mode
server
Determines how change detection is applied to alert to inconsistent S3
objects read during or after an overwrite. Value 'server' indicates to apply
the attribute constraint directly on GetObject requests to S3. Value 'client'
means to do a client-side comparison of the attribute value returned in the
response. Value 'server' would not work with third-party S3 implementations
that do not support these constraints on GetObject. Values 'server' and
'client' generate RemoteObjectChangedException when a mismatch is detected.
Value 'warn' works like 'client' but generates only a warning. Value 'none'
will ignore change detection completely.
fs.s3a.change.detection.version.required
true
Determines if S3 object version attribute defined by
fs.s3a.change.detection.source should be treated as required. If true and the
referred attribute is unavailable in an S3 GetObject response,
NoVersionAttributeException is thrown. Setting to 'true' is encouraged to
avoid potential for inconsistent reads with third-party S3 implementations or
against S3 buckets that have object versioning disabled.
fs.s3a.ssl.channel.mode
default_jsse
If secure connections to S3 are enabled, configures the SSL
implementation used to encrypt connections to S3. Supported values are:
"default_jsse", "default_jsse_with_gcm", "default", and "openssl".
"default_jsse" uses the Java Secure Socket Extension package (JSSE).
However, when running on Java 8, the GCM cipher is removed from the list
of enabled ciphers. This is due to performance issues with GCM in Java 8.
"default_jsse_with_gcm" uses the JSSE with the default list of cipher
suites. "default_jsse_with_gcm" is equivalent to the behavior prior to
this feature being introduced. "default" attempts to use OpenSSL rather
than the JSSE for SSL encryption, if OpenSSL libraries cannot be loaded,
it falls back to the "default_jsse" behavior. "openssl" attempts to use
OpenSSL as well, but fails if OpenSSL libraries cannot be loaded.
fs.s3a.downgrade.syncable.exceptions
true
Warn but continue when applications use Syncable.hsync when writing
to S3A.
fs.s3a.audit.enabled
true
Should auditing of S3A requests be enabled?
fs.AbstractFileSystem.wasb.impl
org.apache.hadoop.fs.azure.Wasb
AbstractFileSystem implementation class of wasb://
fs.AbstractFileSystem.wasbs.impl
org.apache.hadoop.fs.azure.Wasbs
AbstractFileSystem implementation class of wasbs://
fs.wasb.impl
org.apache.hadoop.fs.azure.NativeAzureFileSystem
The implementation class of the Native Azure Filesystem
fs.wasbs.impl
org.apache.hadoop.fs.azure.NativeAzureFileSystem$Secure
The implementation class of the Secure Native Azure Filesystem
fs.azure.secure.mode
false
Config flag to identify the mode in which fs.azure.NativeAzureFileSystem needs
to run under. Setting it "true" would make fs.azure.NativeAzureFileSystem use
SAS keys to communicate with Azure storage.
fs.abfs.impl
org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem
The implementation class of the Azure Blob Filesystem
fs.abfss.impl
org.apache.hadoop.fs.azurebfs.SecureAzureBlobFileSystem
The implementation class of the Secure Azure Blob Filesystem
fs.AbstractFileSystem.abfs.impl
org.apache.hadoop.fs.azurebfs.Abfs
AbstractFileSystem implementation class of abfs://
fs.AbstractFileSystem.abfss.impl
org.apache.hadoop.fs.azurebfs.Abfss
AbstractFileSystem implementation class of abfss://
fs.azure.local.sas.key.mode
false
Works in conjuction with fs.azure.secure.mode. Setting this config to true
results in fs.azure.NativeAzureFileSystem using the local SAS key generation
where the SAS keys are generating in the same process as fs.azure.NativeAzureFileSystem.
If fs.azure.secure.mode flag is set to false, this flag has no effect.
fs.azure.sas.expiry.period
90d
The default value to be used for expiration period for SAS keys generated.
Can use the following suffix (case insensitive):
ms(millis), s(sec), m(min), h(hour), d(day)
to specify the time (such as 2s, 2m, 1h, etc.).
fs.azure.authorization
false
Config flag to enable authorization support in WASB. Setting it to "true" enables
authorization support to WASB. Currently WASB authorization requires a remote service
to provide authorization that needs to be specified via fs.azure.authorization.remote.service.url
configuration
fs.azure.authorization.caching.enable
true
Config flag to enable caching of authorization results and saskeys in WASB.
This flag is relevant only when fs.azure.authorization is enabled.
fs.azure.saskey.usecontainersaskeyforallaccess
true
Use container saskey for access to all blobs within the container.
Blob-specific saskeys are not used when this setting is enabled.
This setting provides better performance compared to blob-specific saskeys.
fs.azure.buffer.dir
${hadoop.tmp.dir}/abfs
Directory path for buffer files needed to upload data blocks
in AbfsOutputStream.
fs.AbstractFileSystem.gs.impl
com.google.cloud.hadoop.fs.gcs.GoogleHadoopFS
The AbstractFileSystem for gs: uris.
fs.azure.enable.readahead
true
Enabled readahead/prefetching in AbfsInputStream.
io.seqfile.compress.blocksize
1000000
The minimum block size for compression in block compressed
SequenceFiles.
io.mapfile.bloom.size
1048576
The size of BloomFilter-s used in BloomMapFile. Each time this many
keys is appended the next BloomFilter will be created (inside a DynamicBloomFilter).
Larger values minimize the number of filters, which slightly increases the performance,
but may waste too much space if the total number of keys is usually much smaller
than this number.
io.mapfile.bloom.error.rate
0.005
The rate of false positives in BloomFilter-s used in BloomMapFile.
As this value decreases, the size of BloomFilter-s increases exponentially. This
value is the probability of encountering false positives (default is 0.5%).
hadoop.util.hash.type
murmur
The default implementation of Hash. Currently this can take one of the
two values: 'murmur' to select MurmurHash and 'jenkins' to select JenkinsHash.
ipc.client.idlethreshold
4000
Defines the threshold number of connections after which
connections will be inspected for idleness.
ipc.client.kill.max
10
Defines the maximum number of clients to disconnect in one go.
ipc.client.connection.maxidletime
10000
The maximum time in msec after which a client will bring down the
connection to the server.
ipc.client.connect.max.retries
10
Indicates the number of retries a client will make to establish
a server connection.
ipc.client.connect.retry.interval
1000
Indicates the number of milliseconds a client will wait for
before retrying to establish a server connection.
ipc.client.connect.timeout
20000
Indicates the number of milliseconds a client will wait for the
socket to establish a server connection.
ipc.client.connect.max.retries.on.timeouts
45
Indicates the number of retries a client will make on socket timeout
to establish a server connection.
ipc.client.tcpnodelay
true
Use TCP_NODELAY flag to bypass Nagle's algorithm transmission delays.
ipc.client.low-latency
false
Use low-latency QoS markers for IPC connections.
ipc.client.ping
true
Send a ping to the server when timeout on reading the response,
if set to true. If no failure is detected, the client retries until at least
a byte is read or the time given by ipc.client.rpc-timeout.ms is passed.
ipc.ping.interval
60000
Timeout on waiting response from server, in milliseconds.
The client will send ping when the interval is passed without receiving bytes,
if ipc.client.ping is set to true.
ipc.client.rpc-timeout.ms
120000
Timeout on waiting response from server, in milliseconds.
If this rpc-timeout is 0, it means no timeout. If this rpc-timeout is greater
than 0, and ipc.client.ping is set to true, and this rpc-timeout is greater than
the value of ipc.ping.interval, the effective value of the rpc-timeout is
rounded up to multiple of ipc.ping.interval.
ipc.server.listen.queue.size
256
Indicates the length of the listen queue for servers accepting
client connections.
ipc.server.log.slow.rpc
false
This setting is useful to troubleshoot performance issues for
various services. If this value is set to true then we log requests that
fall into 99th percentile as well as increment RpcSlowCalls counter.
ipc.server.purge.interval
15
Define how often calls are cleaned up in the server.
The default is 15 minutes. The unit is minutes.
ipc.maximum.data.length
134217728
This indicates the maximum IPC message length (bytes) that can be
accepted by the server. Messages larger than this value are rejected by the
immediately to avoid possible OOMs. This setting should rarely need to be
changed.
ipc.maximum.response.length
134217728
This indicates the maximum IPC message length (bytes) that can be
accepted by the client. Messages larger than this value are rejected
immediately to avoid possible OOMs. This setting should rarely need to be
changed. Set to 0 to disable.
ipc.server.reuseaddr
true
Enables the SO_REUSEADDR TCP option on the server.
Useful if BindException often prevents a certain service to be restarted
because the server side is stuck in TIME_WAIT state.
ipc.[port_number].backoff.enable
false
Whether or not to enable client backoff when a queue is full.
ipc.backoff.enable
false
This property is used as fallback property in case
"ipc.[port_number].backoff.enable" is not defined.
It determines whether or not to enable client backoff when
a queue is full.
ipc.[port_number].callqueue.impl
java.util.concurrent.LinkedBlockingQueue
The fully qualified name of a class to use as the implementation
of a call queue. The default implementation is
java.util.concurrent.LinkedBlockingQueue (FIFO queue).
Use org.apache.hadoop.ipc.FairCallQueue for the Fair Call Queue.
ipc.callqueue.impl
java.util.concurrent.LinkedBlockingQueue
The fully qualified name of a class to use as the implementation
of a call queue. The default implementation is
java.util.concurrent.LinkedBlockingQueue (FIFO queue).
Use org.apache.hadoop.ipc.FairCallQueue for the Fair Call Queue.
This config is fallback config for ipc.[port_number].callqueue.impl.
If call queue is not defined at port level, this default
config is used and hence, this is fallback config to
config with port.
ipc.[port_number].scheduler.impl
org.apache.hadoop.ipc.DefaultRpcScheduler
The fully qualified name of a class to use as the
implementation of the scheduler. The default implementation is
org.apache.hadoop.ipc.DefaultRpcScheduler (no-op scheduler) when not using
FairCallQueue. If using FairCallQueue, defaults to
org.apache.hadoop.ipc.DecayRpcScheduler. Use
org.apache.hadoop.ipc.DecayRpcScheduler in conjunction with the Fair Call
Queue.
ipc.scheduler.impl
org.apache.hadoop.ipc.DefaultRpcScheduler
The fully qualified name of a class to use as the
implementation of the scheduler. The default implementation is
org.apache.hadoop.ipc.DefaultRpcScheduler (no-op scheduler) when
not using FairCallQueue. If using FairCallQueue, defaults to
org.apache.hadoop.ipc.DecayRpcScheduler. Use
org.apache.hadoop.ipc.DecayRpcScheduler in conjunction
with the Fair Call Queue.
This config is fallback config for ipc.[port_number].scheduler.impl.
If scheduler queue is not defined at port level, this default
config is used and hence, this is fallback config to
config with port.
ipc.[port_number].scheduler.priority.levels
4
How many priority levels to use within the scheduler and call
queue. This property applies to RpcScheduler and CallQueue.
ipc.[port_number].faircallqueue.multiplexer.weights
8,4,2,1
How much weight to give to each priority queue. This should be
a comma-separated list of length equal to the number of priority levels.
Weights descend by a factor of 2 (e.g., for 4 levels: 8,4,2,1).
This property applies to WeightedRoundRobinMultiplexer.
ipc.[port_number].identity-provider.impl
org.apache.hadoop.ipc.UserIdentityProvider
The identity provider mapping user requests to their identity.
This property applies to DecayRpcScheduler.
ipc.identity-provider.impl
org.apache.hadoop.ipc.UserIdentityProvider
This property is used as fallback property in case
"ipc.[port_number].identity-provider.impl" is not defined.
The identity provider mapping user requests to their identity.
This property applies to DecayRpcScheduler.
ipc.[port_number].cost-provider.impl
org.apache.hadoop.ipc.DefaultCostProvider
The cost provider mapping user requests to their cost. To
enable determination of cost based on processing time, use
org.apache.hadoop.ipc.WeightedTimeCostProvider.
This property applies to DecayRpcScheduler.
ipc.cost-provider.impl
org.apache.hadoop.ipc.DefaultCostProvider
This property is used as fallback property in case
"ipc.[port_number].cost-provider.impl" is not defined.
The cost provider mapping user requests to their cost. To
enable determination of cost based on processing time, use
org.apache.hadoop.ipc.WeightedTimeCostProvider.
This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.period-ms
5000
How frequently the decay factor should be applied to the
operation counts of users. Higher values have less overhead, but respond
less quickly to changes in client behavior.
This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.decay-factor
0.5
When decaying the operation counts of users, the multiplicative
decay factor to apply. Higher values will weight older operations more
strongly, essentially giving the scheduler a longer memory, and penalizing
heavy clients for a longer period of time.
This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.thresholds
13,25,50
The client load threshold, as an integer percentage, for each
priority queue. Clients producing less load, as a percent of total
operations, than specified at position i will be given priority i. This
should be a comma-separated list of length equal to the number of priority
levels minus 1 (the last is implicitly 100).
Thresholds ascend by a factor of 2 (e.g., for 4 levels: 13,25,50).
This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.backoff.responsetime.enable
false
Whether or not to enable the backoff by response time feature.
This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.backoff.responsetime.thresholds
10s,20s,30s,40s
The response time thresholds, as time durations, for each
priority queue. If the average response time for a queue is above this
threshold, backoff will occur in lower priority queues. This should be a
comma-separated list of length equal to the number of priority levels.
Threshold increases by 10s per level (e.g., for 4 levels: 10s,20s,30s,40s)
This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.metrics.top.user.count
10
The number of top (i.e., heaviest) users to emit metric
information about. This property applies to DecayRpcScheduler.
ipc.[port_number].decay-scheduler.service-users
Service users will always be scheduled into the highest-priority
queue and won't be included in the priority computation of normal user
calls. They are specified as a comma-separated list.
ipc.[port_number].weighted-cost.lockshared
10
The weight multiplier to apply to the time spent in the
processing phase which holds a shared (read) lock.
This property applies to WeightedTimeCostProvider.
ipc.[port_number].weighted-cost.lockexclusive
100
The weight multiplier to apply to the time spent in the
processing phase which holds an exclusive (write) lock.
This property applies to WeightedTimeCostProvider.
ipc.[port_number].weighted-cost.handler
1
The weight multiplier to apply to the time spent in the
HANDLER phase which do not involve holding a lock.
See org.apache.hadoop.ipc.ProcessingDetails.Timing for more details on
this phase. This property applies to WeightedTimeCostProvider.
ipc.[port_number].weighted-cost.lockfree
1
The weight multiplier to apply to the time spent in the
LOCKFREE phase which do not involve holding a lock.
See org.apache.hadoop.ipc.ProcessingDetails.Timing for more details on
this phase. This property applies to WeightedTimeCostProvider.
ipc.[port_number].weighted-cost.response
1
The weight multiplier to apply to the time spent in the
RESPONSE phase which do not involve holding a lock.
See org.apache.hadoop.ipc.ProcessingDetails.Timing for more details on
this phase. This property applies to WeightedTimeCostProvider.
hadoop.security.impersonation.provider.class
A class which implements ImpersonationProvider interface, used to
authorize whether one user can impersonate a specific user.
If not specified, the DefaultImpersonationProvider will be used.
If a class is specified, then that class will be used to determine
the impersonation capability.
hadoop.rpc.socket.factory.class.default
org.apache.hadoop.net.StandardSocketFactory
Default SocketFactory to use. This parameter is expected to be
formatted as "package.FactoryClassName".
hadoop.rpc.socket.factory.class.ClientProtocol
SocketFactory to use to connect to a DFS. If null or empty, use
hadoop.rpc.socket.class.default. This socket factory is also used by
DFSClient to create sockets to DataNodes.
hadoop.socks.server
Address (host:port) of the SOCKS server to be used by the
SocksSocketFactory.
net.topology.node.switch.mapping.impl
org.apache.hadoop.net.ScriptBasedMapping
The default implementation of the DNSToSwitchMapping. It
invokes a script specified in net.topology.script.file.name to resolve
node names. If the value for net.topology.script.file.name is not set, the
default value of DEFAULT_RACK is returned for all node names.
net.topology.impl
org.apache.hadoop.net.NetworkTopology
The default implementation of NetworkTopology which is classic three layer one.
net.topology.script.file.name
The script name that should be invoked to resolve DNS names to
NetworkTopology names. Example: the script would take host.foo.bar as an
argument, and return /rack1 as the output.
net.topology.script.number.args
100
The max number of args that the script configured with
net.topology.script.file.name should be run with. Each arg is an
IP address.
net.topology.table.file.name
The file name for a topology file, which is used when the
net.topology.node.switch.mapping.impl property is set to
org.apache.hadoop.net.TableMapping. The file format is a two column text
file, with columns separated by whitespace. The first column is a DNS or
IP address and the second column specifies the rack where the address maps.
If no entry corresponding to a host in the cluster is found, then
/default-rack is assumed.
file.stream-buffer-size
4096
The size of buffer to stream files.
The size of this buffer should probably be a multiple of hardware
page size (4096 on Intel x86), and it determines how much data is
buffered during read and write operations.
file.bytes-per-checksum
512
The number of bytes per checksum. Must not be larger than
file.stream-buffer-size
file.client-write-packet-size
65536
Packet size for clients to write
file.blocksize
67108864
Block size
file.replication
1
Replication factor
ftp.stream-buffer-size
4096
The size of buffer to stream files.
The size of this buffer should probably be a multiple of hardware
page size (4096 on Intel x86), and it determines how much data is
buffered during read and write operations.
ftp.bytes-per-checksum
512
The number of bytes per checksum. Must not be larger than
ftp.stream-buffer-size
ftp.client-write-packet-size
65536
Packet size for clients to write
ftp.blocksize
67108864
Block size
ftp.replication
3
Replication factor
tfile.io.chunk.size
1048576
Value chunk size in bytes. Default to
1MB. Values of the length less than the chunk size is
guaranteed to have known value length in read time (See also
TFile.Reader.Scanner.Entry.isValueLengthKnown()).
tfile.fs.output.buffer.size
262144
Buffer size used for FSDataOutputStream in bytes.
tfile.fs.input.buffer.size
262144
Buffer size used for FSDataInputStream in bytes.
hadoop.http.authentication.type
simple
Defines authentication used for Oozie HTTP endpoint.
Supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#
hadoop.http.authentication.token.validity
36000
Indicates how long (in seconds) an authentication token is valid before it has
to be renewed.
hadoop.http.authentication.signature.secret.file
${user.home}/hadoop-http-auth-signature-secret
The signature secret for signing the authentication tokens.
A different secret should be used for each service.
hadoop.http.authentication.cookie.domain
The domain to use for the HTTP cookie that stores the authentication token.
In order to authentiation to work correctly across all Hadoop nodes web-consoles
the domain must be correctly set.
IMPORTANT: when using IP addresses, browsers ignore cookies with domain settings.
For this setting to work properly all nodes in the cluster must be configured
to generate URLs with hostname.domain names on it.
hadoop.http.authentication.simple.anonymous.allowed
true
Indicates if anonymous requests are allowed when using 'simple' authentication.
hadoop.http.authentication.kerberos.principal
HTTP/_HOST@LOCALHOST
Indicates the Kerberos principal to be used for HTTP endpoint.
The principal MUST start with 'HTTP/' as per Kerberos HTTP SPNEGO specification.
hadoop.http.authentication.kerberos.keytab
${user.home}/hadoop.keytab
Location of the keytab file with the credentials for the principal.
Referring to the same keytab file Oozie uses for its Kerberos credentials for Hadoop.
hadoop.http.authentication.kerberos.endpoint.whitelist
The comma-separated list of the endpoints that skips Kerberos
authentication. The endpoint must start with '/' and must not
contain special characters afterwards. This parameter is for
the monitoring tools that do not support Kerberos authentication.
Administrator must configure this parameter very carefully
because it allows unauthenticated access to the daemons.
hadoop.http.cross-origin.enabled
false
Enable/disable the cross-origin (CORS) filter.
hadoop.http.cross-origin.allowed-origins
*
Comma separated list of origins that are allowed for web services
needing cross-origin (CORS) support. If a value in the list contains an
asterix (*), a regex pattern, escaping any dots ('.' -> '\.') and replacing
the asterix such that it captures any characters ('*' -> '.*'), is generated.
Values prefixed with 'regex:' are interpreted directly as regular expressions,
e.g. use the expression 'regex:https?:\/\/foo\.bar:([0-9]+)?' to allow any
origin using the 'http' or 'https' protocol in the domain 'foo.bar' on any
port. The use of simple wildcards ('*') is discouraged, and only available for
backward compatibility.
hadoop.http.cross-origin.allowed-methods
GET,POST,HEAD
Comma separated list of methods that are allowed for web
services needing cross-origin (CORS) support.
hadoop.http.cross-origin.allowed-headers
X-Requested-With,Content-Type,Accept,Origin
Comma separated list of headers that are allowed for web
services needing cross-origin (CORS) support.
hadoop.http.cross-origin.max-age
1800
The number of seconds a pre-flighted request can be cached
for web services needing cross-origin (CORS) support.
dfs.ha.fencing.methods
List of fencing methods to use for service fencing. May contain
builtin methods (eg shell, sshfence and powershell) or user-defined method.
dfs.ha.fencing.ssh.connect-timeout
30000
SSH connection timeout, in milliseconds, to use with the builtin
sshfence fencer.
dfs.ha.fencing.ssh.private-key-files
The SSH private key files to use with the builtin sshfence fencer.
ha.zookeeper.quorum
A list of ZooKeeper server addresses, separated by commas, that are
to be used by the ZKFailoverController in automatic failover.
ha.zookeeper.session-timeout.ms
10000
The session timeout to use when the ZKFC connects to ZooKeeper.
Setting this value to a lower value implies that server crashes
will be detected more quickly, but risks triggering failover too
aggressively in the case of a transient error or network blip.
ha.zookeeper.parent-znode
/hadoop-ha
The ZooKeeper znode under which the ZK failover controller stores
its information. Note that the nameservice ID is automatically
appended to this znode, so it is not normally necessary to
configure this, even in a federated environment.
ha.zookeeper.acl
world:anyone:rwcda
A comma-separated list of ZooKeeper ACLs to apply to the znodes
used by automatic failover. These ACLs are specified in the same
format as used by the ZooKeeper CLI.
If the ACL itself contains secrets, you may instead specify a
path to a file, prefixed with the '@' symbol, and the value of
this configuration will be loaded from within.
ha.zookeeper.auth
A comma-separated list of ZooKeeper authentications to add when
connecting to ZooKeeper. These are specified in the same format
as used by the "addauth" command in the ZK CLI. It is
important that the authentications specified here are sufficient
to access znodes with the ACL specified in ha.zookeeper.acl.
If the auths contain secrets, you may instead specify a
path to a file, prefixed with the '@' symbol, and the value of
this configuration will be loaded from within.
hadoop.http.staticuser.user
dr.who
The user name to filter as, on static web filters
while rendering content. An example use is the HDFS
web UI (user to be used for browsing files).
hadoop.ssl.keystores.factory.class
org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
The keystores factory to use for retrieving certificates.
hadoop.ssl.require.client.cert
false
Whether client certificates are required
hadoop.ssl.hostname.verifier
DEFAULT
The hostname verifier to provide for HttpsURLConnections.
Valid values are: DEFAULT, STRICT, STRICT_IE6, DEFAULT_AND_LOCALHOST and
ALLOW_ALL
hadoop.ssl.server.conf
ssl-server.xml
Resource file from which ssl server keystore information will be extracted.
This file is looked up in the classpath, typically it should be in Hadoop
conf/ directory.
hadoop.ssl.client.conf
ssl-client.xml
Resource file from which ssl client keystore information will be extracted
This file is looked up in the classpath, typically it should be in Hadoop
conf/ directory.
hadoop.ssl.enabled.protocols
TLSv1.2
The supported SSL protocols. The parameter will only be used from
DatanodeHttpServer.
Starting from Hadoop 3.3.0, TLSv1.3 is supported with Java 11 Runtime.
hadoop.jetty.logs.serve.aliases
true
Enable/Disable aliases serving from jetty
fs.permissions.umask-mode
022
The umask used when creating files and directories.
Can be in octal or in symbolic. Examples are:
"022" (octal for u=rwx,g=r-x,o=r-x in symbolic),
or "u=rwx,g=rwx,o=" (symbolic for 007 in octal).
ha.health-monitor.connect-retry-interval.ms
1000
How often to retry connecting to the service.
ha.health-monitor.check-interval.ms
1000
How often to check the service.
ha.health-monitor.sleep-after-disconnect.ms
1000
How long to sleep after an unexpected RPC error.
ha.health-monitor.rpc.connect.max.retries
1
The number of retries on connect error when establishing RPC proxy
connection to NameNode, used for monitorHealth() calls.
ha.health-monitor.rpc-timeout.ms
45000
Timeout for the actual monitorHealth() calls.
ha.failover-controller.new-active.rpc-timeout.ms
60000
Timeout that the FC waits for the new active to become active
ha.failover-controller.graceful-fence.rpc-timeout.ms
5000
Timeout that the FC waits for the old active to go to standby
ha.failover-controller.graceful-fence.connection.retries
1
FC connection retries for graceful fencing
ha.failover-controller.active-standby-elector.zk.op.retries
3
The number of zookeeper operation retry times in ActiveStandbyElector
ha.failover-controller.cli-check.rpc-timeout.ms
20000
Timeout that the CLI (manual) FC waits for monitorHealth, getServiceState
ipc.client.fallback-to-simple-auth-allowed
false
When a client is configured to attempt a secure connection, but attempts to
connect to an insecure server, that server may instruct the client to
switch to SASL SIMPLE (unsecure) authentication. This setting controls
whether or not the client will accept this instruction from the server.
When false (the default), the client will not allow the fallback to SIMPLE
authentication, and will abort the connection.
fs.client.resolve.remote.symlinks
true
Whether to resolve symlinks when accessing a remote Hadoop filesystem.
Setting this to false causes an exception to be thrown upon encountering
a symlink. This setting does not apply to local filesystems, which
automatically resolve local symlinks.
nfs.exports.allowed.hosts
* rw
By default, the export can be mounted by any client. The value string
contains machine name and access privilege, separated by whitespace
characters. The machine name format can be a single host, a Java regular
expression, or an IPv4 address. The access privilege uses rw or ro to
specify read/write or read-only access of the machines to exports. If the
access privilege is not provided, the default is read-only. Entries are separated by ";".
For example: "192.168.0.0/22 rw ; host.*\.example\.com ; host1.test.org ro;".
Only the NFS gateway needs to restart after this property is updated.
hadoop.user.group.static.mapping.overrides
dr.who=;
Static mapping of user to groups. This will override the groups if
available in the system for the specified user. In other words, groups
look-up will not happen for these users, instead groups mapped in this
configuration will be used.
Mapping should be in this format.
user1=group1,group2;user2=;user3=group2;
Default, "dr.who=;" will consider "dr.who" as user without groups.
rpc.metrics.quantile.enable
false
Setting this property to true and rpc.metrics.percentiles.intervals
to a comma-separated list of the granularity in seconds, the
50/75/90/95/99th percentile latency for rpc queue/processing time in
milliseconds are added to rpc metrics.
rpc.metrics.timeunit
MILLISECONDS
This property is used to configure timeunit for various RPC Metrics
e.g rpcQueueTime, rpcLockWaitTime, rpcProcessingTime,
deferredRpcProcessingTime. In the absence of this property,
default timeunit used is milliseconds.
The value of this property should match to any one value of enum:
java.util.concurrent.TimeUnit.
Some of the valid values: NANOSECONDS, MICROSECONDS, MILLISECONDS,
SECONDS etc.
rpc.metrics.percentiles.intervals
A comma-separated list of the granularity in seconds for the metrics which
describe the 50/75/90/95/99th percentile latency for rpc queue/processing
time. The metrics are outputted if rpc.metrics.quantile.enable is set to
true.
hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE
The prefix for a given crypto codec, contains a comma-separated
list of implementation classes for a given crypto codec (eg EXAMPLECIPHERSUITE).
The first implementation will be used if available, others are fallbacks.
hadoop.security.crypto.codec.classes.aes.ctr.nopadding
org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec, org.apache.hadoop.crypto.JceAesCtrCryptoCodec
Comma-separated list of crypto codec implementations for AES/CTR/NoPadding.
The first implementation will be used if available, others are fallbacks.
hadoop.security.crypto.codec.classes.sm4.ctr.nopadding
org.apache.hadoop.crypto.OpensslSm4CtrCryptoCodec, org.apache.hadoop.crypto.JceSm4CtrCryptoCodec
Comma-separated list of crypto codec implementations for SM4/CTR/NoPadding.
The first implementation will be used if available, others are fallbacks.
hadoop.security.openssl.engine.id
The Openssl provided an engine mechanism that allow to specify third-party software
encryption library or hardware encryption device for encryption. The engine ID could
be vendor defined and will be passed to openssl, more info please see:
https://github.com/openssl/openssl/blob/master/README.ENGINE
hadoop.security.crypto.cipher.suite
AES/CTR/NoPadding
Cipher suite for crypto codec.
hadoop.security.crypto.jce.provider
The JCE provider name used in CryptoCodec.
hadoop.security.crypto.jceks.key.serialfilter
Enhanced KeyStore Mechanisms in JDK 8u171 introduced jceks.key.serialFilter.
If jceks.key.serialFilter is configured, the JCEKS KeyStore uses it during
the deserialization of the encrypted Key object stored inside a
SecretKeyEntry.
If jceks.key.serialFilter is not configured it will cause an error when
recovering keystore file in KeyProviderFactory when recovering key from
keystore file using JDK 8u171 or newer. The filter pattern uses the same
format as jdk.serialFilter.
The value of this property will be used as the following:
1. The value of jceks.key.serialFilter system property takes precedence
over the value of this property.
2. In the absence of jceks.key.serialFilter system property the value of
this property will be set as the value of jceks.key.serialFilter.
3. If the value of this property and jceks.key.serialFilter system
property has not been set, org.apache.hadoop.crypto.key.KeyProvider
sets a default value for jceks.key.serialFilter.
hadoop.security.crypto.buffer.size
8192
The buffer size used by CryptoInputStream and CryptoOutputStream.
hadoop.security.java.secure.random.algorithm
SHA1PRNG
The java secure random algorithm.
hadoop.security.secure.random.impl
org.apache.hadoop.crypto.random.OpensslSecureRandom
Implementation of secure random.
hadoop.security.random.device.file.path
/dev/urandom
OS security random device file path.
hadoop.security.key.provider.path
The KeyProvider to use when managing zone keys, and interacting with
encryption keys when reading and writing to an encryption zone.
For hdfs clients, the provider path will be same as namenode's
provider path.
hadoop.security.key.default.bitlength
128
The length (bits) of keys we want the KeyProvider to produce. Key length
defines the upper-bound on an algorithm's security, ideally, it would
coincide with the lower-bound on an algorithm's security.
hadoop.security.key.default.cipher
AES/CTR/NoPadding
This indicates the algorithm that be used by KeyProvider for generating
key, and will be converted to CipherSuite when creating encryption zone.
fs.har.impl.disable.cache
true
Don't cache 'har' filesystem instances.
hadoop.security.kms.client.authentication.retry-count
1
Number of time to retry connecting to KMS on authentication failure
hadoop.security.kms.client.encrypted.key.cache.size
500
Size of the EncryptedKeyVersion cache Queue for each key
hadoop.security.kms.client.encrypted.key.cache.low-watermark
0.3f
If size of the EncryptedKeyVersion cache Queue falls below the
low watermark, this cache queue will be scheduled for a refill
hadoop.security.kms.client.encrypted.key.cache.num.refill.threads
2
Number of threads to use for refilling depleted EncryptedKeyVersion
cache Queues
hadoop.security.kms.client.encrypted.key.cache.expiry
43200000
Cache expiry time for a Key, after which the cache Queue for this
key will be dropped. Default = 12hrs
hadoop.security.kms.client.timeout
60
Sets value for KMS client connection timeout, and the read timeout
to KMS servers.
hadoop.security.kms.client.failover.sleep.base.millis
100
Expert only. The time to wait, in milliseconds, between failover
attempts increases exponentially as a function of the number of
attempts made so far, with a random factor of +/- 50%. This option
specifies the base value used in the failover calculation. The
first failover will retry immediately. The 2nd failover attempt
will delay at least hadoop.security.client.failover.sleep.base.millis
milliseconds. And so on.
hadoop.security.kms.client.failover.sleep.max.millis
2000
Expert only. The time to wait, in milliseconds, between failover
attempts increases exponentially as a function of the number of
attempts made so far, with a random factor of +/- 50%. This option
specifies the maximum value to wait between failovers.
Specifically, the time between two failover attempts will not
exceed +/- 50% of hadoop.security.client.failover.sleep.max.millis
milliseconds.
ipc.server.max.connections
0
The maximum number of concurrent connections a server is allowed
to accept. If this limit is exceeded, incoming connections will first fill
the listen queue and then may go to an OS-specific listen overflow queue.
The client may fail or timeout, but the server can avoid running out of file
descriptors using this feature. 0 means no limit.
hadoop.registry.zk.root
/registry
The root zookeeper node for the registry
hadoop.registry.zk.session.timeout.ms
60000
Zookeeper session timeout in milliseconds
hadoop.registry.zk.connection.timeout.ms
15000
Zookeeper connection timeout in milliseconds
hadoop.registry.zk.retry.times
5
Zookeeper connection retry count before failing
hadoop.registry.zk.retry.interval.ms
1000
hadoop.registry.zk.retry.ceiling.ms
60000
Zookeeper retry limit in milliseconds, during
exponential backoff.
This places a limit even
if the retry times and interval limit, combined
with the backoff policy, result in a long retry
period
hadoop.registry.zk.quorum
localhost:2181
List of hostname:port pairs defining the
zookeeper quorum binding for the registry
hadoop.registry.secure
false
Key to set if the registry is secure. Turning it on
changes the permissions policy from "open access"
to restrictions on kerberos with the option of
a user adding one or more auth key pairs down their
own tree.
hadoop.registry.system.acls
sasl:yarn@, sasl:mapred@, sasl:hdfs@
A comma separated list of Zookeeper ACL identifiers with
system access to the registry in a secure cluster.
These are given full access to all entries.
If there is an "@" at the end of a SASL entry it
instructs the registry client to append the default kerberos domain.
hadoop.registry.kerberos.realm
The kerberos realm: used to set the realm of
system principals which do not declare their realm,
and any other accounts that need the value.
If empty, the default realm of the running process
is used.
If neither are known and the realm is needed, then the registry
service/client will fail.
hadoop.registry.jaas.context
Client
Key to define the JAAS context. Used in secure
mode
hadoop.shell.missing.defaultFs.warning
false
Enable hdfs shell commands to display warnings if (fs.defaultFS) property
is not set.
hadoop.shell.safely.delete.limit.num.files
100
Used by -safely option of hadoop fs shell -rm command to avoid
accidental deletion of large directories. When enabled, the -rm command
requires confirmation if the number of files to be deleted is greater than
this limit. The default limit is 100 files. The warning is disabled if
the limit is 0 or the -safely is not specified in -rm command.
fs.client.htrace.sampler.classes
The class names of the HTrace Samplers to use for Hadoop
filesystem clients.
hadoop.htrace.span.receiver.classes
The class names of the Span Receivers to use for Hadoop.
hadoop.http.logs.enabled
true
Enable the "/logs" endpoint on all Hadoop daemons, which serves local
logs, but may be considered a security risk due to it listing the contents
of a directory.
fs.client.resolve.topology.enabled
false
Whether the client machine will use the class specified by
property net.topology.node.switch.mapping.impl to compute the network
distance between itself and remote machines of the FileSystem. Additional
properties might need to be configured depending on the class specified
in net.topology.node.switch.mapping.impl. For example, if
org.apache.hadoop.net.ScriptBasedMapping is used, a valid script file
needs to be specified in net.topology.script.file.name.
fs.adl.impl
org.apache.hadoop.fs.adl.AdlFileSystem
fs.AbstractFileSystem.adl.impl
org.apache.hadoop.fs.adl.Adl
adl.feature.ownerandgroup.enableupn
false
When true : User and Group in FileStatus/AclStatus response is
represented as user friendly name as per Azure AD profile.
When false (default) : User and Group in FileStatus/AclStatus
response is represented by the unique identifier from Azure AD
profile (Object ID as GUID).
For optimal performance, false is recommended.
fs.adl.oauth2.access.token.provider.type
ClientCredential
Defines Azure Active Directory OAuth2 access token provider type.
Supported types are ClientCredential, RefreshToken, MSI, DeviceCode,
and Custom.
The ClientCredential type requires property fs.adl.oauth2.client.id,
fs.adl.oauth2.credential, and fs.adl.oauth2.refresh.url.
The RefreshToken type requires property fs.adl.oauth2.client.id and
fs.adl.oauth2.refresh.token.
The MSI type reads optional property fs.adl.oauth2.msi.port, if specified.
The DeviceCode type requires property
fs.adl.oauth2.devicecode.clientapp.id.
The Custom type requires property fs.adl.oauth2.access.token.provider.
fs.adl.oauth2.client.id
The OAuth2 client id.
fs.adl.oauth2.credential
The OAuth2 access key.
fs.adl.oauth2.refresh.url
The OAuth2 token endpoint.
fs.adl.oauth2.refresh.token
The OAuth2 refresh token.
fs.adl.oauth2.access.token.provider
The class name of the OAuth2 access token provider.
fs.adl.oauth2.msi.port
The localhost port for the MSI token service. This is the port specified
when creating the Azure VM. The default, if this setting is not specified,
is 50342.
Used by MSI token provider.
fs.adl.oauth2.devicecode.clientapp.id
The app id of the AAD native app in whose context the auth request
should be made.
Used by DeviceCode token provider.
adl.http.timeout
-1
Base timeout (in milliseconds) for HTTP requests from the ADL SDK. Values
of zero or less cause the SDK default to be used instead.
adl.ssl.channel.mode
Valid inputs are OpenSSL, Default_JSE and Default (case insensitive).
If config is missing or is invalid, SSL Channel mode will be set to Default.
When OpenSSL, SSL socket connections are created in OpenSSL mode.
When Default_JSE, SSL socket connections are created in the default JSE mode.
When Default, SSL socket connections are attempted with OpenSSL
and will fallback to Default_JSE mode if OpenSSL is not available at runtime.
hadoop.caller.context.enabled
false
When the feature is enabled, additional fields are written into
name-node audit log records for auditing coarse granularity operations.
hadoop.caller.context.max.size
128
The maximum bytes a caller context string can have. If the
passed caller context is longer than this maximum bytes, client will
truncate it before sending to server. Note that the server may have a
different maximum size, and will truncate the caller context to the
maximum size it allows.
hadoop.caller.context.signature.max.size
40
The caller's signature (optional) is for offline validation. If the
signature exceeds the maximum allowed bytes in server, the caller context
will be abandoned, in which case the caller context will not be recorded
in audit logs.
hadoop.caller.context.separator
,
The separator is for context which maybe contain many fields. For example,
if the separator is ',', and there are two key/value fields in context,
in which case the context string is "key1:value1,key2:value2". The
separator should not contain '\t', '\n', '='.
seq.io.sort.mb
100
The total amount of buffer memory to use while sorting files,
while using SequenceFile.Sorter, in megabytes. By default,
gives each merge stream 1MB, which should minimize seeks.
seq.io.sort.factor
100
The number of streams to merge at once while sorting
files using SequenceFile.Sorter.
This determines the number of open file handles.
hadoop.zk.address
Host:Port of the ZooKeeper server to be used.
hadoop.zk.num-retries
1000
Number of tries to connect to ZooKeeper.
hadoop.zk.retry-interval-ms
1000
Retry interval in milliseconds when connecting to ZooKeeper.
hadoop.zk.timeout-ms
10000
ZooKeeper session timeout in milliseconds. Session expiration
is managed by the ZooKeeper cluster itself, not by the client. This value is
used by the cluster to determine when the client's session expires.
Expirations happens when the cluster does not hear from the client within
the specified session timeout period (i.e. no heartbeat).
hadoop.zk.acl
world:anyone:rwcda
ACL's to be used for ZooKeeper znodes.
hadoop.zk.auth
Specify the auths to be used for the ACL's specified in hadoop.zk.acl.
This takes a comma-separated list of authentication mechanisms, each of the
form 'scheme:auth' (the same syntax used for the 'addAuth' command in
the ZK CLI).
hadoop.system.tags
YARN,HDFS,NAMENODE,DATANODE,REQUIRED,SECURITY,KERBEROS,PERFORMANCE,CLIENT
,SERVER,DEBUG,DEPRECATED,COMMON,OPTIONAL
Deprecated. Please use hadoop.tags.system instead.
hadoop.tags.system
YARN,HDFS,NAMENODE,DATANODE,REQUIRED,SECURITY,KERBEROS,PERFORMANCE,CLIENT
,SERVER,DEBUG,DEPRECATED,COMMON,OPTIONAL
System tags to group related properties together.
ipc.client.bind.wildcard.addr
false
When set to true Clients will bind socket to wildcard
address. (i.e 0.0.0.0)
hadoop.domainname.resolver.impl
org.apache.hadoop.net.DNSDomainNameResolver
The implementation of DomainNameResolver used for service (NameNodes,
RBF Routers etc) discovery. The default implementation
org.apache.hadoop.net.DNSDomainNameResolver returns all IP addresses associated
with the input domain name of the services by querying the underlying DNS.
dfs.client.ignore.namenode.default.kms.uri
false
Ignore KMS default URI returned from NameNode.
When set to true, kms uri is searched in the following order:
1. If there is a mapping in Credential's secrets map for namenode uri.
2. Fallback to local conf. (i.e hadoop.security.key.provider.path)
If client choose to ignore KMS uri provided by NameNode then client
should set KMS URI using 'hadoop.security.key.provider.path' to access
the right KMS for encrypted files.
hadoop.prometheus.endpoint.enabled
false
If set to true, prometheus compatible metric page on the HTTP servers
is enabled via '/prom' endpoint.
fs.getspaceused.classname
The class that can tell estimate much space is used in a directory.
There are four impl classes that being supported:
org.apache.hadoop.fs.DU(default), org.apache.hadoop.fs.WindowsGetSpaceUsed
org.apache.hadoop.fs.DFCachingGetSpaceUsed and
org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.ReplicaCachingGetSpaceUsed.
And the ReplicaCachingGetSpaceUsed impl class only used in HDFS module.
fs.getspaceused.jitterMillis
60000
fs space usage statistics refresh jitter in msec.
hadoop.http.sni.host.check.enabled
false
Enable Server Name Indication (SNI) host check for HTTPS enabled server.
hadoop.metrics.jvm.use-thread-mxbean
false
Whether or not ThreadMXBean is used for getting thread info in JvmMetrics,
ThreadGroup approach is preferred for better performance.
fs.AbstractFileSystem.ofs.impl
org.apache.hadoop.fs.ozone.RootedOzFs
The AbstractFileSystem for Rooted Ozone
FileSystem ofs uri
fs.AbstractFileSystem.o3fs.impl
org.apache.hadoop.fs.ozone.OzFs
The AbstractFileSystem for Ozone FileSystem o3fs uri