Impala Properties in CDH 4.7.0

impalacatalogserverdefaultgroup

Advanced

Display Name Description Related Name Default Value API Name Required
Impala Catalog Server Environment Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be inserted into a role's environment. Applies to configurations of this role except client configuration. CATALOGSERVER_role_env_safety_valve false
Catalog Server Command Line Argument Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be added (verbatim) to Catalog Server command line flags. Key names should begin with a hyphen(-). For example: -log_filename=foo.log catalogd_cmd_args_safety_valve false
Catalog Server HBase Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into hbase-site.xml for this role only. catalogd_hbase_conf_safety_valve false
Catalog Server HDFS Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into hdfs-site.xml for this role only. catalogd_hdfs_site_conf_safety_valve false
Catalog Server Hive Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into hive-site.xml for this role only. catalogd_hive_conf_safety_valve false
Catalog Server Core Dump Directory Directory where Catalog Server core dump will be placed. core_dump_dir /var/log/catalogd core_dump_dir false
Catalog Server Hive Metastore Connection Timeout Timeout for requests to the Hive Metastore Server from Catalog Server. Consider increasing this if you have tables with a lot of metadata and see timeout errors. hive.metastore.client.socket.timeout 1 hour(s) hive_metastore_timeout false
Load Catalog in Background If true, loads catalog metadata in the background. If false, metadata is loaded lazily (on access). Only effective in CDH 5 and Impala 1.2.4 and higher. load_catalog_in_background true load_catalog_in_background false
Automatically Restart Process When set, this role's process is automatically (and transparently) restarted in the event of an unexpected failure. true process_auto_restart true

Logs

Display Name Description Related Name Default Value API Name Required
Catalog Server Log Directory Directory where Catalog Server will place its log files. log_dir /var/log/catalogd log_dir false
Impala Catalog Server Logging Threshold The minimum log level for Impala Catalog Server logs INFO log_threshold false
Catalog Server Verbose Log Level Verbose logging level for the GLog logger. These messages are always logged at 'INFO' log level, so this setting has no effect if Logging Threshold is set to 'WARN' or above. GLOG_v 1 log_verbose_level false
Catalog Server Log Buffer Level Buffer log messages logged at this level or lower (-1 means don't buffer; 0 means buffer INFO only; 1 means buffer WARNING only, ...) logbuflevel 0 logbuflevel false
Impala Catalog Server Max Log Size The maximum size, in megabytes, per log file for Impala Catalog Server logs. Typically used by log4j or logback. 200 MiB max_log_size false

Monitoring

Display Name Description Related Name Default Value API Name Required
Catalog Server Connectivity Health Test Enables the health test that verifies the Catalog Server is connected to the StateStore true catalogserver_connectivity_health_enabled false
Catalog Server Connectivity Tolerance at Startup The amount of time to wait for the Catalog Server to fully start up and connect to the StateStore before enforcing the connectivity check. 3 minute(s) catalogserver_connectivity_tolerance false
File Descriptor Monitoring Thresholds The health test thresholds of the number of file descriptors used. Specified as a percentage of file descriptor limit. Warning: 50.0 %, Critical: 70.0 % catalogserver_fd_thresholds false
Impala Catalog Server Host Health Test When computing the overall Impala Catalog Server health, consider the host's health. true catalogserver_host_health_enabled false
Impala Catalog Server Process Health Test Enables the health test that the Impala Catalog Server's process state is consistent with the role configuration true catalogserver_scm_health_enabled false
Health Check Startup Tolerance The amount of time allowed after this role is started that failures of health checks that rely on communication with this role will be tolerated. 5 minute(s) catalogserver_startup_tolerance false
Web Metric Collection Enables the health test that the Cloudera Manager Agent can successfully contact and gather metrics from the web server. true catalogserver_web_metric_collection_enabled false
Web Metric Collection Duration The health test thresholds on the duration of the metrics request to the web server. Warning: 10 second(s), Critical: Never catalogserver_web_metric_collection_thresholds false
Enable Health Alerts for this Role When set, Cloudera Manager will send alerts when the health of this role reaches the threshold specified by the EventServer setting eventserver_health_events_alert_threshold true enable_alerts false
Enable Configuration Change Alerts When set, Cloudera Manager will send alerts when this entity's configuration changes. false enable_config_alerts false
Heap Dump Directory Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's heap dump directory. Warning: 10 GiB, Critical: 5 GiB heap_dump_directory_free_space_absolute_thresholds false
Heap Dump Directory Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's heap dump directory. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Heap Dump Directory Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never heap_dump_directory_free_space_percentage_thresholds false
Log Directory Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's log directory. Warning: 10 GiB, Critical: 5 GiB log_directory_free_space_absolute_thresholds false
Log Directory Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's log directory. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Log Directory Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never log_directory_free_space_percentage_thresholds false
Resident Set Size Thresholds The health test thresholds on the resident size of the process. Warning: Never, Critical: Never process_resident_set_size_thresholds false
Process Swap Memory Thresholds The health test thresholds on the swap memory usage of the process. Warning: Any, Critical: Never process_swap_memory_thresholds false
Role Triggers The configured triggers for this role. This is a JSON formatted list of triggers. These triggers are evaluated as part as the health system. Every trigger expression is parsed, and if the trigger condition is met, the list of actions provided in the trigger expression is executed. Each trigger has all of the following fields:
  • triggerName (mandatory) - The name of the trigger. This value must be unique for the specific role.
  • triggerExpression (mandatory) - A tsquery expression representing the trigger.
  • streamThreshold (optional) - The maximum number of streams that can satisfy a condition of a trigger before the condition fires. By default set to 0, and any stream returned causes the condition to fire.
  • enabled (optional) - By default set to 'true'. If set to 'false', the trigger will not be evaluated.
  • expressionEditorConfig (optional) - Metadata for the trigger editor. If present, the trigger should only be edited from the Edit Trigger page; editing the trigger here may lead to inconsistencies.
For example, the following JSON formatted trigger configured for a DataNode fires if the DataNode has more than 1500 file-descriptors opened:[{"triggerName": "sample-trigger", "triggerExpression": "IF (SELECT fd_open WHERE roleName=$ROLENAME and last(fd_open) > 1500) DO health:bad", "streamThreshold": 0, "enabled": "true"}]See the trigger rules documentation for more details on how to write triggers using tsquery.The JSON format is evolving and may change in the future and, as a result, backward compatibility is not guaranteed between releases at this time.
[] role_triggers true
Unexpected Exits Thresholds The health test thresholds for unexpected exits encountered within a recent period specified by the unexpected_exits_window configuration for the role. Warning: Never, Critical: Any unexpected_exits_thresholds false
Unexpected Exits Monitoring Period The period to review when computing unexpected exits. 5 minute(s) unexpected_exits_window false

Other

Display Name Description Related Name Default Value API Name Required
Enable Catalog Server Web Server Enable/Disable Catalog Server web server. This web server contains useful information about Catalog Server daemon. enable_webserver true catalogd_enable_webserver false

Performance

Display Name Description Related Name Default Value API Name Required
Maximum Process File Descriptors If configured, overrides the process soft and hard rlimits (also called ulimits) for file descriptors to the configured value. rlimit_fds false

Ports and Addresses

Display Name Description Related Name Default Value API Name Required
Catalog Server Service Port Port where Catalog Server is exported. catalog_service_port 26000 catalog_service_port false
Catalog Server HTTP Server Port Port where Catalog Server debug web server runs. webserver_port 25020 catalogserver_webserver_port false

Resource Management

Display Name Description Related Name Default Value API Name Required
Cgroup CPU Shares Number of CPU shares to assign to this role. The greater the number of shares, the larger the share of the host's CPUs that will be given to this role when the host experiences CPU contention. Must be between 2 and 262144. Defaults to 1024 for processes not managed by Cloudera Manager. cpu.shares 1024 rm_cpu_shares true
Cgroup I/O Weight Weight for the read I/O requests issued by this role. The greater the weight, the higher the priority of the requests when the host experiences I/O contention. Must be between 100 and 1000. Defaults to 1000 for processes not managed by Cloudera Manager. blkio.weight 500 rm_io_weight true
Cgroup Memory Hard Limit Hard memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages charged to the process. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit. memory.limit_in_bytes -1 MiB rm_memory_hard_limit true
Cgroup Memory Soft Limit Soft memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages charged to the process if and only if the host is facing memory pressure. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit. memory.soft_limit_in_bytes -1 MiB rm_memory_soft_limit true

Security

Display Name Description Related Name Default Value API Name Required
SSL/TLS Certificate for Catalog Server Webserver Local path to the certificate presented by the Catalog Server debug webserver. This file must be in .pem format. If empty, webserver SSL/TLS support is not enabled. webserver_certificate_file webserver_certificate_file false
Catalog Server Web Server User Password Password for Catalog Server web server authentication. webserver_htpassword_password webserver_htpassword_password false
Catalog Server Web Server Username Username for Catalog Server web server authentication. webserver_htpassword_user webserver_htpassword_user false

impaladaemondefaultgroup

Advanced

Display Name Description Related Name Default Value API Name Required
Impala Daemon Environment Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be inserted into a role's environment. Applies to configurations of this role except client configuration. IMPALAD_role_env_safety_valve false
Abort on Config Error Abort Impala startup if there are improper configs or running on unsupported hardware. abort_on_config_error true abort_on_config_error false
Impala Daemon Core Dump Directory Directory where Impala Daemon core dump will be placed. core_dump_dir /var/log/impalad core_dump_dir false
Impala Daemon Hive Metastore Connection Timeout Timeout for requests to the Hive Metastore Server from Impala. Consider increasing this if you have tables with a lot of metadata and see timeout errors. hive.metastore.client.socket.timeout 1 hour(s) hive_metastore_timeout false
Impala Daemon HDFS Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into hdfs-site.xml for this role only. impala_hdfs_site_conf_safety_valve false
Impala Daemon Hive Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into hive-site.xml for this role only. impala_hive_conf_safety_valve false
Impala Daemon Llama Site Advanced Configuration Snippet (Safety Valve) An XML snippet to append to llama-site.xml for Impala Daemons. This configuration only has effect on Impala versions 1.3 or greater. impala_llama_site_conf_safety_valve false
Impala Daemon Command Line Argument Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be added (verbatim) to Impala Daemon command-line flags. Key names should begin with a hyphen(-). For example: -log_filename=foo.log impalad_cmd_args_safety_valve false
Impala Daemon Fair Scheduler Advanced Configuration Snippet (Safety Valve) An XML string to use verbatim for the contents of fair-scheduler.xml for Impala Daemons. This configuration only has effect on Impala versions 1.3 or greater. impalad_fair_scheduler_safety_valve false
Impala Daemon HBase Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into hbase-site.xml for this role only. impalad_hbase_conf_safety_valve false
Result Cache Maximum Size Maximum number of query results a client may request to be cached on a per-query basis to support restarting fetches. This option guards against unreasonably large result caches requested by clients. Requests exceeding this maximum will be rejected. max_result_cache_size 100000 impalad_result_cache_max_size false
Impala Daemon Logging Advanced Configuration Snippet (Safety Valve) For advanced use only, a string to be inserted into log4j.properties for this role only. log4j_safety_valve false
Automatically Restart Process When set, this role's process is automatically (and transparently) restarted in the event of an unexpected failure. true process_auto_restart true

Logs

Display Name Description Related Name Default Value API Name Required
Impala Daemon Audit Log Directory The directory in which Impala daemon audit event log files are written. If "Impala Audit Event Generation" property is enabled, Impala will generate its audit logs in this directory. audit_event_log_dir /var/log/impalad/audit audit_event_log_dir true
Enable Impala Audit Event Generation Enables audit event generation by Impala daemons. The audit log file will be placed in the directory specified by 'Impala Daemon Audit Log Directory' parameter. enable_audit_event_log false enable_audit_event_log false
Enable Impala Lineage Generation Enables lineage generation by Impala daemons. The lineage log file is placed in the directory specified by the 'Impala Daemon Lineage Log Directory' parameter. enable_lineage_log true enable_lineage_log false
Impala Daemon Lineage Log Directory The directory in which Impala daemon lineage log files are written. If "Impala Lineage Generation" property is enabled, Impala generates its lineage logs in this directory. lineage_event_log_dir /var/log/impalad/lineage lineage_event_log_dir true
Impala Daemon Log Directory Directory where Impala Daemon will place its log files. log_dir /var/log/impalad log_dir false
Impala Daemon Logging Threshold The minimum log level for Impala Daemon logs INFO log_threshold false
Impala Daemon Verbose Log Level Verbose logging level for the GLog logger. These messages are always logged at 'INFO' log level, so this setting has no effect if Logging Threshold is set to 'WARN' or above. GLOG_v 1 log_verbose_level false
Impala Daemon Log Buffer Level Buffer log messages logged at this level or lower (-1 means don't buffer; 0 means buffer INFO only; 1 means buffer WARNING only, ...) logbuflevel 0 logbuflevel false
Impala Daemon Maximum Audit Log File Size The maximum size (in queries) of the Impala Daemon audit event log file before a new one is created. max_audit_event_log_file_size 5000 line(s) max_audit_event_log_file_size false
Impala Daemon Maximum Lineage Log File Size The maximum size (in entries) of the Impala daemon lineage log file before a new one is created. max_lineage_log_file_size 5000 line(s) max_lineage_log_file_size false
Impala Daemon Max Log Size The maximum size, in megabytes, per log file for Impala Daemon logs. Typically used by log4j or logback. 200 MiB max_log_size false

Monitoring

Display Name Description Related Name Default Value API Name Required
Enable Health Alerts for this Role When set, Cloudera Manager will send alerts when the health of this role reaches the threshold specified by the EventServer setting eventserver_health_events_alert_threshold true enable_alerts false
Enable Configuration Change Alerts When set, Cloudera Manager will send alerts when this entity's configuration changes. false enable_config_alerts false
Query Monitoring Timeout The timeout used by the Cloudera Manager Agent's query monitor when communicating with the Impala Daemon web server, specified in seconds. 5.0 second(s) executing_queries_timeout_seconds false
Heap Dump Directory Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's heap dump directory. Warning: 10 GiB, Critical: 5 GiB heap_dump_directory_free_space_absolute_thresholds false
Heap Dump Directory Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's heap dump directory. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Heap Dump Directory Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never heap_dump_directory_free_space_percentage_thresholds false
Impala Daemon Connectivity Health Test Enables the health test that verifies the Impala Daemon is connected to the StateStore. true impalad_connectivity_health_enabled false
Impala Daemon Connectivity Tolerance at Startup The amount of time to wait for the Impala Daemon to fully start up and connect to the StateStore before enforcing the connectivity check. 3 minute(s) impalad_connectivity_tolerance false
File Descriptor Monitoring Thresholds The health test thresholds of the number of file descriptors used. Specified as a percentage of file descriptor limit. Warning: 50.0 %, Critical: 70.0 % impalad_fd_thresholds false
Impala Daemon Host Health Test When computing the overall Impala Daemon health, consider the host's health. true impalad_host_health_enabled false
Impala Daemon Ready Status Health Check Enables the health check that determines if the Impala daemon is ready to process queries. true impalad_ready_status_check_enabled false
Impala Daemon Ready Status Startup Tolerance The amount of time at Impala Daemon startup allowed for the Impala Daemon to start accepting new queries for processing. 3 minute(s) impalad_ready_status_check_startup_tolerance false
Impala Daemon Process Health Test Enables the health test that the Impala Daemon's process state is consistent with the role configuration true impalad_scm_health_enabled false
Impala Daemon Scratch Directories Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's Directories where Impala Daemon will write data such as spilling information to disk to free up memory. This can potentially be large amounts of data.. Warning: 10 GiB, Critical: 5 GiB impalad_scratch_directories_free_space_absolute_thresholds false
Impala Daemon Scratch Directories Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's Directories where Impala Daemon will write data such as spilling information to disk to free up memory. This can potentially be large amounts of data.. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Directories where Impala Daemon will write data such as spilling information to disk to free up memory. This can potentially be large amounts of data. Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never impalad_scratch_directories_free_space_percentage_thresholds false
Web Metric Collection Enables the health test that the Cloudera Manager Agent can successfully contact and gather metrics from the web server. true impalad_web_metric_collection_enabled false
Web Metric Collection Duration The health test thresholds on the duration of the metrics request to the web server. Warning: 10 second(s), Critical: Never impalad_web_metric_collection_thresholds false
Log Directory Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's log directory. Warning: 10 GiB, Critical: 5 GiB log_directory_free_space_absolute_thresholds false
Log Directory Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's log directory. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Log Directory Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never log_directory_free_space_percentage_thresholds false
Resident Set Size Thresholds The health test thresholds on the resident size of the process. Warning: Never, Critical: Never process_resident_set_size_thresholds false
Process Swap Memory Thresholds The health test thresholds on the swap memory usage of the process. Warning: Any, Critical: Any process_swap_memory_thresholds false
Query Monitoring Period The polling period of the Impala query monitor in the Cloudera Manager Agent, specified in seconds. If set to zero, query monitoring is disabled. 1.0 second(s) query_monitoring_period_seconds false
Role Triggers The configured triggers for this role. This is a JSON formatted list of triggers. These triggers are evaluated as part as the health system. Every trigger expression is parsed, and if the trigger condition is met, the list of actions provided in the trigger expression is executed. Each trigger has all of the following fields:
  • triggerName (mandatory) - The name of the trigger. This value must be unique for the specific role.
  • triggerExpression (mandatory) - A tsquery expression representing the trigger.
  • streamThreshold (optional) - The maximum number of streams that can satisfy a condition of a trigger before the condition fires. By default set to 0, and any stream returned causes the condition to fire.
  • enabled (optional) - By default set to 'true'. If set to 'false', the trigger will not be evaluated.
  • expressionEditorConfig (optional) - Metadata for the trigger editor. If present, the trigger should only be edited from the Edit Trigger page; editing the trigger here may lead to inconsistencies.
For example, the following JSON formatted trigger configured for a DataNode fires if the DataNode has more than 1500 file-descriptors opened:[{"triggerName": "sample-trigger", "triggerExpression": "IF (SELECT fd_open WHERE roleName=$ROLENAME and last(fd_open) > 1500) DO health:bad", "streamThreshold": 0, "enabled": "true"}]See the trigger rules documentation for more details on how to write triggers using tsquery.The JSON format is evolving and may change in the future and, as a result, backward compatibility is not guaranteed between releases at this time.
[] role_triggers true
Unexpected Exits Thresholds The health test thresholds for unexpected exits encountered within a recent period specified by the unexpected_exits_window configuration for the role. Warning: Never, Critical: Any unexpected_exits_thresholds false
Unexpected Exits Monitoring Period The period to review when computing unexpected exits. 5 minute(s) unexpected_exits_window false

Other

Display Name Description Related Name Default Value API Name Required
Impala Daemon Query Options Advanced Configuration Snippet (Safety Valve) A list of key-value pairs of additional query options to pass to the Impala Daemon command line, separated by ','. default_query_options default_query_options false
Impala Daemons Load Balancer Address of the load balancer used for Impala daemons. Should be specified in host:port format. If this is specified and Kerberos is enabled, Cloudera Manager adds a principal for 'impala/<load_balancer_host>@<realm>' to the keytab for all Impala daemons. impalad_load_balancer false
Impala Daemon Scratch Directories Directories where Impala Daemon will write data such as spilling information to disk to free up memory. This can potentially be large amounts of data. scratch_dirs scratch_dirs false

Performance

Display Name Description Related Name Default Value API Name Required
Maximum Process File Descriptors If configured, overrides the process soft and hard rlimits (also called ulimits) for file descriptors to the configured value. rlimit_fds false

Ports and Addresses

Display Name Description Related Name Default Value API Name Required
Impala Daemon Backend Port Port on which ImpalaBackendService is exported. be_port 22000 be_port false
Impala Daemon Beeswax Port Port on which Beeswax client requests are served by Impala Daemons. beeswax_port 21000 beeswax_port false
Impala Daemon HiveServer2 Port Port on which HiveServer2 client requests are served by Impala Daemons. hs2_port 21050 hs2_port false
Enable Impala Daemon Web Server Enable or disable the Impala Daemon web server. This web server contains useful information about Impala Daemon. enable_webserver true impalad_enable_webserver false
Impala Daemon HTTP Server Port Port where Impala debug web server runs. webserver_port 25000 impalad_webserver_port false
StateStoreSubscriber Service Port Port where StateStoreSubscriberService is running. state_store_subscriber_port 23000 state_store_subscriber_port false

Resource Management

Display Name Description Related Name Default Value API Name Required
Impala Daemon Memory Limit Memory limit in bytes for Impala Daemon, enforced by the daemon itself. If reached, queries running on the Impala Daemon may be killed. Leave it blank to let Impala pick its own limit. Use a value of -1 B to specify no limit. mem_limit impalad_memory_limit false
Cgroup CPU Shares Number of CPU shares to assign to this role. The greater the number of shares, the larger the share of the host's CPUs that will be given to this role when the host experiences CPU contention. Must be between 2 and 262144. Defaults to 1024 for processes not managed by Cloudera Manager. cpu.shares 1024 rm_cpu_shares true
Cgroup I/O Weight Weight for the read I/O requests issued by this role. The greater the weight, the higher the priority of the requests when the host experiences I/O contention. Must be between 100 and 1000. Defaults to 1000 for processes not managed by Cloudera Manager. blkio.weight 500 rm_io_weight true
Cgroup Memory Hard Limit Hard memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages charged to the process. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit. memory.limit_in_bytes -1 MiB rm_memory_hard_limit true
Cgroup Memory Soft Limit Soft memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages charged to the process if and only if the host is facing memory pressure. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit. memory.soft_limit_in_bytes -1 MiB rm_memory_soft_limit true

Security

Display Name Description Related Name Default Value API Name Required
LDAP Server CA Certificate The location on disk of the certificate, in .pem format, used to confirm the authenticity of the LDAP server certificate. This is the Certificate Authority (CA) certificate, and it was used to sign the LDAP server certificate. If not set, Impala by default trusts all certificates supplied by the LDAP server, which means that an attacker could potentially intercept otherwise encrypted usernames and passwords. ldap_ca_certificate impalad_ldap_ca_certificate false
SSL/TLS Certificate for Impala Daemon Webserver Local path to the certificate presented by the Impala daemon debug webserver. This file must be in .pem format. If empty, webserver SSL/TLS support is not enabled. webserver_certificate_file webserver_certificate_file false
Impala Daemon Web Server User Password Password for Impala Daemon webserver authentication. webserver_htpassword_password webserver_htpassword_password false
Impala Daemon Web Server Username Username for Impala Daemon webserver authentication. webserver_htpassword_user webserver_htpassword_user false

impalastatestoredefaultgroup

Advanced

Display Name Description Related Name Default Value API Name Required
Impala StateStore Environment Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be inserted into a role's environment. Applies to configurations of this role except client configuration. STATESTORE_role_env_safety_valve false
StateStore Core Dump Directory Directory where StateStore core dump will be placed. core_dump_dir /var/log/statestore core_dump_dir false
Automatically Restart Process When set, this role's process is automatically (and transparently) restarted in the event of an unexpected failure. true process_auto_restart true
Statestore Command Line Argument Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be added (verbatim) to StateStore command line flags. statestore_cmd_args_safety_valve false

Logs

Display Name Description Related Name Default Value API Name Required
StateStore Log Directory Directory where StateStore will place its log files. log_dir /var/log/statestore log_dir false
Impala StateStore Logging Threshold The minimum log level for Impala StateStore logs INFO log_threshold false
StateStore Verbose Log Level Verbose logging level for the GLog logger. These messages are always logged at 'INFO' log level, so this setting has no effect if Logging Threshold is set to 'WARN' or above. GLOG_v 1 log_verbose_level false
StateStore Log Buffer Level Buffer log messages logged at this level or lower (-1 means don't buffer; 0 means buffer INFO only; 1 means buffer WARNING only, ...) logbuflevel 0 logbuflevel false
Impala StateStore Max Log Size The maximum size, in megabytes, per log file for Impala StateStore logs. Typically used by log4j or logback. 200 MiB max_log_size false

Monitoring

Display Name Description Related Name Default Value API Name Required
Enable Health Alerts for this Role When set, Cloudera Manager will send alerts when the health of this role reaches the threshold specified by the EventServer setting eventserver_health_events_alert_threshold true enable_alerts false
Enable Configuration Change Alerts When set, Cloudera Manager will send alerts when this entity's configuration changes. false enable_config_alerts false
Heap Dump Directory Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's heap dump directory. Warning: 10 GiB, Critical: 5 GiB heap_dump_directory_free_space_absolute_thresholds false
Heap Dump Directory Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's heap dump directory. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Heap Dump Directory Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never heap_dump_directory_free_space_percentage_thresholds false
Log Directory Free Space Monitoring Absolute Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's log directory. Warning: 10 GiB, Critical: 5 GiB log_directory_free_space_absolute_thresholds false
Log Directory Free Space Monitoring Percentage Thresholds The health test thresholds for monitoring of free space on the filesystem that contains this role's log directory. Specified as a percentage of the capacity on that filesystem. This setting is not used if a Log Directory Free Space Monitoring Absolute Thresholds setting is configured. Warning: Never, Critical: Never log_directory_free_space_percentage_thresholds false
Resident Set Size Thresholds The health test thresholds on the resident size of the process. Warning: Never, Critical: Never process_resident_set_size_thresholds false
Process Swap Memory Thresholds The health test thresholds on the swap memory usage of the process. Warning: Any, Critical: Never process_swap_memory_thresholds false
Role Triggers The configured triggers for this role. This is a JSON formatted list of triggers. These triggers are evaluated as part as the health system. Every trigger expression is parsed, and if the trigger condition is met, the list of actions provided in the trigger expression is executed. Each trigger has all of the following fields:
  • triggerName (mandatory) - The name of the trigger. This value must be unique for the specific role.
  • triggerExpression (mandatory) - A tsquery expression representing the trigger.
  • streamThreshold (optional) - The maximum number of streams that can satisfy a condition of a trigger before the condition fires. By default set to 0, and any stream returned causes the condition to fire.
  • enabled (optional) - By default set to 'true'. If set to 'false', the trigger will not be evaluated.
  • expressionEditorConfig (optional) - Metadata for the trigger editor. If present, the trigger should only be edited from the Edit Trigger page; editing the trigger here may lead to inconsistencies.
For example, the following JSON formatted trigger configured for a DataNode fires if the DataNode has more than 1500 file-descriptors opened:[{"triggerName": "sample-trigger", "triggerExpression": "IF (SELECT fd_open WHERE roleName=$ROLENAME and last(fd_open) > 1500) DO health:bad", "streamThreshold": 0, "enabled": "true"}]See the trigger rules documentation for more details on how to write triggers using tsquery.The JSON format is evolving and may change in the future and, as a result, backward compatibility is not guaranteed between releases at this time.
[] role_triggers true
File Descriptor Monitoring Thresholds The health test thresholds of the number of file descriptors used. Specified as a percentage of file descriptor limit. Warning: 50.0 %, Critical: 70.0 % statestore_fd_thresholds false
Impala StateStore Host Health Test When computing the overall Impala StateStore health, consider the host's health. true statestore_host_health_enabled false
Impala StateStore Process Health Test Enables the health test that the Impala StateStore's process state is consistent with the role configuration true statestore_scm_health_enabled false
Health Check Startup Tolerance The amount of time allowed after this role is started that failures of health checks that rely on communication with this role will be tolerated. 5 minute(s) statestore_startup_tolerance false
Web Metric Collection Enables the health test that the Cloudera Manager Agent can successfully contact and gather metrics from the web server. true statestore_web_metric_collection_enabled false
Web Metric Collection Duration The health test thresholds on the duration of the metrics request to the web server. Warning: 10 second(s), Critical: Never statestore_web_metric_collection_thresholds false
Unexpected Exits Thresholds The health test thresholds for unexpected exits encountered within a recent period specified by the unexpected_exits_window configuration for the role. Warning: Never, Critical: Any unexpected_exits_thresholds false
Unexpected Exits Monitoring Period The period to review when computing unexpected exits. 5 minute(s) unexpected_exits_window false

Other

Display Name Description Related Name Default Value API Name Required
Enable StateStore Web Server Enable/Disable StateStore web server. This web server contains useful information about StateStore daemon. enable_webserver true statestore_enable_webserver false

Performance

Display Name Description Related Name Default Value API Name Required
Maximum Process File Descriptors If configured, overrides the process soft and hard rlimits (also called ulimits) for file descriptors to the configured value. rlimit_fds false
StateStore Worker Threads Number of worker threads for the thread manager underlying the StateStore Thrift server. state_store_num_server_worker_threads 4 state_store_num_server_worker_threads false
Maximum StateStore Pending Tasks Maximum number of tasks allowed to be pending at the thread manager underlying the StateStore Thrift server (0 allows infinitely many pending tasks) state_store_pending_task_count_max 0 state_store_pending_task_count_max false

Ports and Addresses

Display Name Description Related Name Default Value API Name Required
StateStore Service Port Port where StateStoreService is exported. state_store_port 24000 state_store_port false
StateStore HTTP Server Port Port where StateStore debug web server runs. webserver_port 25010 statestore_webserver_port false

Resource Management

Display Name Description Related Name Default Value API Name Required
Cgroup CPU Shares Number of CPU shares to assign to this role. The greater the number of shares, the larger the share of the host's CPUs that will be given to this role when the host experiences CPU contention. Must be between 2 and 262144. Defaults to 1024 for processes not managed by Cloudera Manager. cpu.shares 1024 rm_cpu_shares true
Cgroup I/O Weight Weight for the read I/O requests issued by this role. The greater the weight, the higher the priority of the requests when the host experiences I/O contention. Must be between 100 and 1000. Defaults to 1000 for processes not managed by Cloudera Manager. blkio.weight 500 rm_io_weight true
Cgroup Memory Hard Limit Hard memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages charged to the process. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit. memory.limit_in_bytes -1 MiB rm_memory_hard_limit true
Cgroup Memory Soft Limit Soft memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages charged to the process if and only if the host is facing memory pressure. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit. memory.soft_limit_in_bytes -1 MiB rm_memory_soft_limit true

Security

Display Name Description Related Name Default Value API Name Required
SSL/TLS Certificate for Statestore Webserver Local path to the certificate presented by the StateStore debug webserver. This file must be in .pem format. If empty, webserver SSL/TLS support is not enabled. webserver_certificate_file webserver_certificate_file false
Statestore Web Server User Password Password for Statestore webserver authentication. webserver_htpassword_password webserver_htpassword_password false
Statestore Web Server Username Username for Statestore webserver authentication. webserver_htpassword_user webserver_htpassword_user false

service_wide

Admission Control

Display Name Description Related Name Default Value API Name Required
Enable Dynamic Resource Pools Use Dynamic Resource Pools to configure Impala admission control or RM for this Impala service. These features are only supported in Impala 1.3 or higher deployments. false admission_control_enabled false
Admission Control Queue Timeout Maximum amount of time (in milliseconds) that a request waits to be admitted before timing out. Must be a positive integer. queue_wait_timeout_ms 1 minute(s) admission_control_queue_timeout false
Single Pool Max Queued Queries Configures the maximum number of queued queries for admission control when using a single pool. -1 or 0 disables queuing, i.e. incoming requests are rejected if they can not be executed immediately. Ignored when Dynamic Resource Pools for Admission Control is enabled. default_pool_max_queued 200 admission_control_single_pool_max_queued false
Single Pool Max Running Queries Configures the maximum number of concurrently running queries for admission control when using a single pool. -1 indicates no limit and 0 indicates all incoming requests will be rejected. Ignored when Dynamic Resource Pools for Admission Control is enabled. default_pool_max_requests 200 admission_control_single_pool_max_requests false
Single Pool Mem Limit Configures the max memory of running queries for admission control when using a single pool. -1 or 0 indicates no limit. Ignored when Dynamic Resource Pools for Admission Control is enabled. default_pool_mem_limit -1 B admission_control_single_pool_mem_limit false
Enable Impala Admission Control Use Impala Admission Control to throttle Impala requests. Unless 'Enable Dynamic Resource Pools' is enabled, Impala uses a single, default pool that is configured using the Single Pool configurations below. These features are only supported in Impala 1.3 or higher deployments. false all_admission_control_enabled false

Advanced

Display Name Description Related Name Default Value API Name Required
Enable Core Dump Used to generate a core dump to get more information about an Impala crash. Unless otherwise configured systemwide using /proc/sys/kernel/core_pattern, the dump is generated in the 'current directory' of the Impala process (usually a subdirectory of the /var/run/cloudera-scm-agent/process directory). The core file can be very large. false enable_core_dump false
Maximum HBase Client Retries Maximum number of HBase client retries for Impala. Used as a maximum for all operations such as fetching of the root region from the root RegionServer, getting a cell's value, and starting a row update. Overrides configuration in the HBase service. hbase.client.retries.number 3 hbase_client_retries_number false
HBase RPC Timeout Timeout in milliseconds for all HBase RPCs made by Impala. Overrides configuration in HBase service. hbase.rpc.timeout 3 second(s) hbase_rpc_timeout false
Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be added (verbatim) to Impala Daemon command-line flags. Applies to all roles in this service. Key names should begin with a hyphen(-). For example: -log_filename=foo.log impala_cmd_args_safety_valve false
Fair Scheduler Configuration Rules A list specifying the rules to run to determine which Fair Scheduler configuration to use. Typically edited using the Rules configuration UI. This configuration only has effect on Impala versions 1.3 or greater. [] impala_schedule_rules false
Fair Scheduler Allocations JSON representation of all the configurations that the Fair Scheduler can take on across all schedules. Typically edited using the Pools configuration UI. This configuration only has effect on Impala versions 1.3 or greater. defaultMinSharePreemptionTimeout:null, defaultQueueSchedulingPolicy:null, fairSharePreemptionTimeout:null, queueMaxAMShareDefault:null, queueMaxAppsDefault:null, queuePlacementRules:null, queues:[aclAdministerApps:null, aclSubmitApps:null, minSharePreemptionTimeout:null, name:root, queues:[aclAdministerApps:null, aclSubmitApps:null, minSharePreemptionTimeout:null, name:default, queues:[], schedulablePropertiesList:[impalaMaxMemory:null, impalaMaxQueuedQueries:null, impalaMaxRunningQueries:null, maxAMShare:null, maxResources:null, maxRunningApps:null, minResources:null, scheduleName:default, weight:null], schedulingPolicy:null], schedulablePropertiesList:[impalaMaxMemory:null, impalaMaxQueuedQueries:null, impalaMaxRunningQueries:null, maxAMShare:null, maxResources:null, maxRunningApps:null, minResources:null, scheduleName:default, weight:null], schedulingPolicy:null], userMaxAppsDefault:null, users:[] impala_scheduled_allocations false
Impala Service Environment Advanced Configuration Snippet (Safety Valve) For advanced use only, key-value pairs (one on each line) to be inserted into a role's environment. Applies to configurations of all roles in this service except client configuration. impala_service_env_safety_valve false
Impala Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml For advanced use only, a string to be inserted into sentry-site.xml. Applies to configurations of all roles in this service except client configuration. impalad_sentry_safety_valve false
Impala Client Advanced Configuration Snippet (Safety Valve) for navigator.client.properties For advanced use only, a string to be inserted into the client configuration for navigator.client.properties. navigator_client_config_safety_valve false
Impala System Group (except Llama) The group that this Impala's processes should run as (except Llama, which has its own group). impala process_groupname true
Impala System User (except Llama) The user that this Impala's processes should run as (except Llama, which has its own user). impala process_username true
Use Debug Build Use debug build of Impala binaries when starting roles. Useful when performing diagnostic activities to get more information in the stacktrace or core dump. false use_debug_build false

Cloudera Navigator

Display Name Description Related Name Default Value API Name Required
Enable Audit Collection Enable collection of audit events from the service's roles. true navigator_audit_enabled false
Audit Event Filter Event filters are defined in a JSON object like the following: { "defaultAction" : ("accept", "discard"), "rules" : [ { "action" : ("accept", "discard"), "fields" : [ { "name" : "fieldName", "match" : "regex" } ] } ] } A filter has a default action and a list of rules, in order of precedence. Each rule defines an action, and a list of fields to match against the audit event. A rule is "accepted" if all the listed field entries match the audit event. At that point, the action declared by the rule is taken. If no rules match the event, the default action is taken. Actions default to "accept" if not defined in the JSON object. The following is the list of fields that can be filtered for Impala events:
  • userName: the user performing the action.
  • ipAddress: the IP from where the request originated.
  • operation: the Impala operation being performed.
  • databaseName: the databaseName for the operation.
  • tableName: the tableName for the operation.
navigator.event.filter navigator_audit_event_filter false
Audit Queue Policy Action to take when the audit event queue is full. Drop the event or shutdown the affected process. navigator.batch.queue_policy DROP navigator_audit_queue_policy false
Audit Event Tracker Configures the rules for event tracking and coalescing. This feature is used to define equivalency between different audit events. When events match, according to a set of configurable parameters, only one entry in the audit list is generated for all the matching events. Tracking works by keeping a reference to events when they first appear, and comparing other incoming events against the "tracked" events according to the rules defined here. Event trackers are defined in a JSON object like the following: { "timeToLive" : [integer], "fields" : [ { "type" : [string], "name" : [string] } ] } Where:
  • timeToLive: maximum amount of time an event will be tracked, in milliseconds. Must be provided. This defines how long, since it's first seen, an event will be tracked. A value of 0 disables tracking.
  • fields: list of fields to compare when matching events against tracked events.
Each field has an evaluator type associated with it. The evaluator defines how the field data is to be compared. The following evaluators are available:
  • value: uses the field value for comparison.
  • userName: treats the field value as a userName, and ignores any host-specific data. This is useful for environment using Kerberos, so that only the principal name and realm are compared.
The following is the list of fields that can be used to compare Impala events:
  • operation: the Sentry operation being performed.
  • username: the user performing the action.
  • ipAddress: the IP from where the request originated.
  • allowed: whether the operation was allowed or denied.
  • databaseName: the database affected by the operation.
  • tableName: the table affected by the operation.
  • objectType: the type of object affected by the operation.
  • privilege: the privilege associated with the operation.
navigator_event_tracker navigator_event_tracker false

Monitoring

Display Name Description Related Name Default Value API Name Required
Admin Users Query List Visibility Settings Controls which queries admin users can see in the queries list view ALL admin_query_list_settings true
Enable Service Level Health Alerts When set, Cloudera Manager will send alerts when the health of this service reaches the threshold specified by the EventServer setting eventserver_health_events_alert_threshold true enable_alerts false
Enable Configuration Change Alerts When set, Cloudera Manager will send alerts when this entity's configuration changes. false enable_config_alerts false
Assignment Locality Minimum Assignments The minimum number of assignments that must occur during the test time period before the threshold values will be checked. Until this number of assignments have been observed in the test time period the health test will be disabled. 10 impala_assignment_locality_minimum false
Assignment Locality Ratio Thresholds The health test thresholds for the assignment locality health test. Specified as a percentage of total assignments. Warning: 80.0 %, Critical: 5.0 % impala_assignment_locality_thresholds false
Assignment Locality Monitoring Period The time period over which to compute the assignment locality ratio. Specified in minutes. 15 minute(s) impala_assignment_locality_window false
Impala Catalog Server Role Health Test When computing the overall IMPALA health, consider Impala Catalog Server's health true impala_catalogserver_health_enabled false
Healthy Impala Daemon Monitoring Thresholds The health test thresholds of the overall Impala Daemon health. The check returns "Concerning" health if the percentage of "Healthy" Impala Daemons falls below the warning threshold. The check is unhealthy if the total percentage of "Healthy" and "Concerning" Impala Daemons falls below the critical threshold. Warning: 95.0 %, Critical: 90.0 % impala_impalads_healthy_thresholds false
Impala Query Aggregates Controls the aggregate metrics generated for Impala queries. The structure is a JSON list of the attributes to aggregate and the entities to aggregate to. For example, if the attributeName is 'hdfs_bytes_read' and the aggregationTargets is ['USER'] then the Service Monitor will create the metric 'impala_query_hdfs_bytes_read_rate' and, every ten minutes, will record the total hdfs bytes read for each user across all their Impala queries. By default it will also record the number of queries issues ('num_impala_queries_rate') for both users and pool. For a full list of the supported attributes see the Impala search page. Note that the valid aggregation targets are USER, YARN_POOL, and IMPALA (the service), and that these aggregate metrics can be viewed on both the reports and charts search pages. [ attributeName: hdfs_bytes_read, aggregationTargets: [USER, YARN_POOL, IMPALA] , attributeName: hdfs_bytes_written, aggregationTargets: [USER, YARN_POOL, IMPALA] , attributeName: thread_cpu_time, aggregationTargets: [USER, YARN_POOL, IMPALA] , attributeName: bytes_streamed, aggregationTargets: [USER, YARN_POOL, IMPALA] , attributeName: cm_cpu_milliseconds, aggregationTargets: [USER] , attributeName: query_duration, aggregationTargets: [USER, YARN_POOL, IMPALA] ] impala_query_aggregates false
Impala StateStore Role Health Test When computing the overall IMPALA health, consider Impala StateStore's health true impala_statestore_health_enabled false
Service Triggers The configured triggers for this service. This is a JSON formatted list of triggers. These triggers are evaluated as part as the health system. Every trigger expression is parsed, and if the trigger condition is met, the list of actions provided in the trigger expression is executed. Each trigger has all of the following fields:
  • triggerName (mandatory) - The name of the trigger. This value must be unique for the specific service.
  • triggerExpression (mandatory) - A tsquery expression representing the trigger.
  • streamThreshold (optional) - The maximum number of streams that can satisfy a condition of a trigger before the condition fires. By default set to 0, and any stream returned causes the condition to fire.
  • enabled (optional) - By default set to 'true'. If set to 'false', the trigger will not be evaluated.
  • expressionEditorConfig (optional) - Metadata for the trigger editor. If present, the trigger should only be edited from the Edit Trigger page; editing the trigger here may lead to inconsistencies.
For example, the followig JSON formatted trigger fires if there are more than 10 DataNodes with more than 500 file-descriptors opened:[{"triggerName": "sample-trigger", "triggerExpression": "IF (SELECT fd_open WHERE roleType = DataNode and last(fd_open) > 500) DO health:bad", "streamThreshold": 10, "enabled": "true"}]See the trigger rules documentation for more details on how to write triggers using tsquery.The JSON format is evolving and may change in the future and, as a result, backward compatibility is not guaranteed between releases at this time.
[] service_triggers true
Service Monitor Derived Configs Advanced Configuration Snippet (Safety Valve) For advanced use only, a list of derived configuration properties that will be used by the Service Monitor instead of the default ones. smon_derived_configs_safety_valve false
Non-Admin Users Query List Visibility Settings Controls which queries a non-admin user can see in the queries list view ALL user_query_list_settings true

Other

Display Name Description Related Name Default Value API Name Required
HBase Service Name of the HBase service that this Impala service instance depends on hbase_service false
HDFS Service Name of the HDFS service that this Impala service instance depends on hdfs_service true
Hive Service Name of the Hive service that this Impala service instance depends on hive_service true

Performance

Display Name Description Related Name Default Value API Name Required
Enable HDFS Short Circuit Read Enable HDFS short circuit read. This allows a client co-located with the DataNode to read HDFS file blocks directly. This gives a performance boost to distributed clients that are aware of locality. dfs.client.read.shortcircuit true dfs_client_read_shortcircuit false
StateStoreSubscriber Timeout Time in seconds before Impala Daemon or Catalog Server times out with the StateStore. statestore_subscriber_timeout_seconds 30 second(s) statestore_subscriber_timeout false

Policy File-Based Sentry

Display Name Description Related Name Default Value API Name Required
Proxy User Configuration Specifies the set of authorized proxy users (users who can impersonate other users during authorization) and whom they are allowed to impersonate. Input is a semicolon-separated list of key=value pairs of authorized proxy users to the user(s) they can impersonate. These users are specified as a comma separated list of short usernames, or '*' to indicate all users. For example: joe=alice,bob;hue=*;admin=*. Only valid when Sentry is enabled. authorized_proxy_user_config hue=* impala_authorized_proxy_user_config false
Enable Sentry Authorization using Policy Files Use Sentry to enable role-based, fine-grained authorization. This configuration enables Sentry using policy files. To enable Sentry using Sentry service instead, add Sentry service as a dependency to Impala service. Sentry service provides concurrent and secure access to authorization policy metadata and is the recommended option for enabling Sentry. Sentry is supported only on Impala 1.1 or later deployments. impala.sentry.enabled false sentry_enabled false

Security

Display Name Description Related Name Default Value API Name Required
Enable TLS/SSL for Impala Client Services Encrypt communication between clients (like ODBC, JDBC, and the Impala shell) and the Impala daemon using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). client_services_ssl_enabled false client_services_ssl_enabled false
Enable LDAP Authentication When checked, LDAP-based authentication for users is enabled. Usernames and passwords are transmitted in the clear unless encryption is turned on. To encrypt the network traffic from the Impala daemon to the LDAP server, use either an ldaps:// URI or select 'Enable LDAP TLS'. To encrypt network traffic from clients to the Impala daemon, specify 'Enable TLS/SSL for Impala Client Services'. enable_ldap_auth false enable_ldap_auth false
Enable LDAP TLS If true, attempts to establish a TLS (Transport Layer Security) connection with the LDAP server. Only supported in Impala 1.4 or CDH 5.1 or higher. Not required when using an LDAP URI with prefix ldaps://, because that already specifies TLS. ldap_tls false enable_ldap_tls false
LDAP URI The URI of the LDAP server to use if LDAP is enabled. The URI must be prefixed with ldap:// or ldaps://. The URI can optionally specify the port, for example: ldap://ldap_server.example.com:389. ldaps:// is only supported in Impala 1.4 or CDH 5.1 or higher, and usually requires that you specify a port. ldap_uri impala_ldap_uri false
Kerberos Principal Kerberos principal short name used by all roles of this service. impala kerberos_princ_name true
Kerberos Re-init Interval Number of minutes between reestablishing our ticket with the Kerberos server. kerberos_reinit_interval 1 hour(s) kerberos_reinit_interval false
LDAP BaseDN When set, this parameter is used to convert the username into the LDAP Distinguished Name (DN), so that the resulting DN looks like uid=username,X. For example, if this parameter is set to "ou=People,dc=cloudera,dc=com", and the username passed in is "mike", the resulting authentication passed to the LDAP server looks like "uid=mike,ou=People,dc=cloudera,dc=com". This parameter is frequently useful when authenticating against an OpenLDAP server. This parameter is mutually exclusive with LDAP Domain and LDAP Pattern. ldap_baseDN ldap_baseDN false
LDAP Pattern When set, this parameter allows arbitrary mapping from usernames into a Distinguished Name (DN). The string specified must have a placeholder named "#UID" inside it, and that #UID is replaced with the username. For example, you could mimic the behavior of LDAP BaseDN by specifying "uid=#UID,ou=People,dc=cloudera,dc=com". When the username of "mike" comes in, it replaces the #UID and the result is "uid=mike,ou=People,dc=cloudera,dc=com". This option should be used when more control over the DN is needed. This parameter is mutually exclusive with LDAP Domain and LDAP BaseDN. ldap_bind_pattern ldap_bind_pattern false
LDAP Domain When set, this value is appended to all usernames before authenticating with the LDAP server. For example, if this parameter is set to "my.domain.com", and the user authenticating to the Impala daemon is "mike", then "mike@my.domain.com" is passed to the LDAP server. If this field is unset, the username remains unaltered before being passed to the LDAP server. This parameter is mutually exclusive with LDAP BaseDN and LDAP Pattern. ldap_domain ldap_domain false
SSL/TLS Private Key for Clients Local path to the private key that matches the certificate specified in the Certificate for Clients. This file must be in PEM format, and is required if the SSL/TLS Certificate for Clients is supplied. ssl_private_key ssl_private_key false
SSL/TLS Certificate for Clients Local path to the X509 certificate that will identify the Impala daemon to clients during SSL/TLS connections. This file must be in PEM format. ssl_server_certificate ssl_server_certificate false