Last reviewed: 2026-06-22
Language: English | Russian
Query Doctor reads non-secret local settings from a JSON config file. Keep passwords, tokens, keytabs, ticket contents, Authorization headers, and API keys out of this file. Put those values in environment variables or local env files described in credentials.md.
The committed query-doctor-config.minimal.example.json is the first-copy Cloudera Manager starter. The fuller query-doctor-config.example.json shows CM, direct Impala, Prometheus, metadata, and LLM routing fields in one advanced template. Add optional fields from the reference below only when you need to override a built-in default.
Preferred local path:
mkdir -p ~/.qdcreds
cp query-doctor-config.minimal.example.json ~/.qdcreds/query-doctor-config.json
chmod 600 ~/.qdcreds/query-doctor-config.jsonThe file is non-secret, but it often contains hostnames, usernames, local paths, and cluster names, so treat it as private workstation state.
Most packaged commands that support automatic local config discovery use this
order when --config is omitted:
query-doctor-config.jsonin the current working directory.~/.qdcreds/query-doctor-config.json.query-doctor-config.jsonin the repository root, when the command allows the repository default.- Legacy
.query-doctor-cm.local.jsonin the current working directory. - Legacy
.query-doctor-cm.local.jsonin the repository root, when allowed.
The local web bootstrap wrapper has a workstation-oriented order:
QD_CONFIG, when set.$QD_CREDS_DIR/query-doctor-config.json, defaulting to~/.qdcreds/query-doctor-config.json.- Repository-local
query-doctor-config.json. - Legacy repository-local
.query-doctor-cm.local.json.
Explicit --config PATH always wins. CLI flags then override environment
variables, config values, and code defaults for the settings they control.
Credential environment variables such as CM_PASSWORD, CM_TOKEN, and
KRB5CCNAME remain outside the JSON config; KRB5CCNAME overrides configured
krb5ccname.
Use this shape, also available in
query-doctor-config.minimal.example.json,
for the normal Cloudera Manager workflow:
{
"clusters": [
{
"id": "cm-impala",
"label": "Impala via Cloudera Manager",
"cluster_type": "cm",
"cm_url": "https://cm.example.com:7183/",
"cluster": "example_cluster",
"service": "impala"
}
],
"language": "en",
"recent_scan_timezone": "UTC"
}Provide CM_USERNAME plus CM_PASSWORD or CM_TOKEN through the shell
environment, for example from ~/.qdcreds/cm-ro.env. The username config
field remains supported as a non-secret fallback, but keeping the CM auth user
with the CM auth secret avoids drift between files.
Add ca_bundle only when your Cloudera Manager endpoint uses a private CA,
and add metadata or direct-Impala fields only after the basic Recent scan path
is working.
Direct query_doctor.cli.batch_recent runs also read the local Cloudera
Manager env file before preflight. Discovery order is:
QD_CM_ENV, when set.$QD_CREDS_DIR/cm-ro.env, whenQD_CREDS_DIRis set.~/.qdcreds/cm-ro.env.
The file is parsed as simple KEY=value or export KEY=value assignments
without shell evaluation. Only CM_USERNAME, CM_USER, CM_PASSWORD,
and CM_TOKEN are accepted from this file. Already-exported environment
variables win over file values. Kerberos cache and principal settings should
come from the shell environment, wrapper defaults, keytab inference, or JSON
config where appropriate, not from cm-ro.env.
Use this shape when Cloudera Manager is not the profile source:
{
"cluster_type": "impala",
"impala_profile_hosts": [
"impalad-worker-1.example.com",
"impalad-worker-2.example.com"
],
"impala_kerberos_service_name": "hive",
"metadata_coordinator": "impala-coordinator.example.com:21000",
"metadata_impala_shell": ".venv-impala-shell/bin/impala-shell",
"metadata_kerberos_service_name": "hive",
"metadata_kerberos_host_fqdn": "impala-coordinator.example.com"
}Direct Impala collection reads only bounded daemon debug web endpoints for
Recent, Running, or one Known Query ID workflow. It does not execute SQL.
For Recent and Running scans, history depth is limited by what the configured
coordinator query-list endpoints still expose. Upstream Impala defaults the
coordinator query log to --query_log_size=200 entries, with an additional
--query_log_size_in_bytes cap. To make more completed direct-Impala queries
available to Query Doctor, increase those Impala daemon settings on each
coordinator that can accept client queries. Avoid unbounded settings in
production; larger query logs can increase coordinator memory use and make the
Impala Web UI /queries JSON page slower to render or serialize before Query
Doctor can apply its own candidate limits.
Direct Impala history can grow through several distinct options:
- Coordinator query-log retention is the current supported path. Increase
--query_log_sizeand, if needed,--query_log_size_in_bytesin Impala daemon configuration on every coordinator. This keeps Query Doctor on the existing daemon/queriesand/profileendpoints, but the history is still coordinator-local and can increase Web UI response cost. - Profile-log directory ingestion is a future source option, not current support. Impala can write completed profile logs separately from the online query log. If Query Doctor adds this source, it must read an operator-configured read-only local or mounted directory, not arbitrary node or pod paths.
- External history indexes such as Loki or OpenSearch are also future source options. They must use operator-owned query templates or source contracts with explicit cluster labels, time windows, byte and record bounds, and redaction guarantees. Browser users must not submit arbitrary log search DSL, credentials, node paths, or raw query/profile payloads through Query Doctor.
For load-balanced metadata connections, keep metadata_coordinator as the
reachable HOST:PORT endpoint and set metadata_kerberos_host_fqdn when the
Kerberos server principal uses a different DNS hostname.
Metadata collection uses read-only SHOW statements through impala-shell and
stays bounded by the metadata limits below.
For Cloudera Manager Recent batches, the metadata refresh may use table
references extracted from discovery statements before profile identifier
redaction. Those identifiers are passed only to the bounded metadata subprocess;
progress, summaries, trusted reports, and pipeline plan output remain raw-free.
Prefer clusters[] when one workstation talks to more than one target. Keep
cluster-specific settings inside each cluster object. Avoid top-level
cm_url, cluster, or service when mixing Cloudera Manager and direct
Impala clusters; otherwise direct clusters inherit irrelevant CM defaults.
{
"clusters": [
{
"id": "cm-prod",
"label": "Cloudera Manager production",
"cluster_type": "cm",
"cm_url": "https://cm-prod.example.com:7183/",
"cluster": "prod_cluster",
"service": "impala",
"ca_bundle": "~/.qdcreds/cm-chain.pem",
"metadata_coordinator": "impala-prod-coordinator.example.com:21000",
"metadata_impala_shell": ".venv-impala-shell/bin/impala-shell"
},
{
"id": "direct-impala",
"label": "Direct Impala",
"cluster_type": "impala",
"impala_profile_hosts": ["impalad-worker-1.example.com"],
"metadata_coordinator": "impala-coordinator.example.com:21000",
"metadata_impala_shell": ".venv-impala-shell/bin/impala-shell"
}
]
}Cluster entries may define target, TLS, direct Impala, Prometheus, metadata,
privacy, redaction, and recent_scan_timezone fields. language, no_llm, web
host/port, Recent scan limits, and output paths are global. Cluster id
values must use only letters, digits, ., _, or -.
Direct query_doctor.cli.batch_recent runs can select one of these entries
with --config-cluster <id>. The selected cluster supplies source, metadata,
runtime-metrics, redaction, and source_visibility settings; explicit CLI
flags still override the selected cluster. For local web runs, omit
source_owner_user unless you intentionally need a fixed owner that differs
from the keytab-derived user.
Reports and Query LLM optimizer can use separate routes. For local Ollama, the
provider and models are enough; the default base URL is
http://localhost:11434.
{
"report_llm_provider": "ollama",
"report_llm_model": "qwen3-coder:30b-a3b-q8_0",
"optimizer_llm_provider": "ollama",
"optimizer_llm_model": "deepseek-coder-v2:16b"
}To switch either route to an external OpenAI-compatible API, change the provider
and add the non-secret base URL. Keep the token in ~/.qdcreds/llm-api.env.
{
"report_llm_provider": "openai_compatible",
"report_llm_model": "report-route-model",
"report_llm_base_url": "https://llm-gateway.example.com",
"optimizer_llm_provider": "openai_compatible",
"optimizer_llm_model": "optimizer-route-model",
"optimizer_llm_base_url": "https://llm-gateway.example.com"
}| Field | Type | Scope | Notes |
|---|---|---|---|
privacy_mode |
boolean | global or cluster | Default on. Makes identifier, hostname, and metadata redaction the default behavior. |
no_llm |
boolean | global only | Disables LLM-backed report and optimizer generation. Reports and optimizer outcomes stay Python-owned. |
redact |
boolean | global | Redacts sensitive profile content for collection. Real profile collection requires redaction. |
redact_identifiers |
boolean | global or cluster | Redacts database, table, and SQL-like identifiers in collected/displayed safe artifacts. |
redact_hosts |
boolean | global or cluster | Replaces infrastructure hostnames/IPs with stable aliases. |
metadata_redact |
boolean | global or cluster | Redacts collected metadata context. Leave enabled unless inspecting private local artifacts only. |
source_visibility |
string | global or cluster | safe or owner_raw. Default safe. owner_raw enables fail-closed owner gating for Recent and Running scans; it does not expose raw browser/report fields by itself. |
source_owner_user |
string | global or cluster | Optional query owner user for owner_raw. Prefer omitting this for local web runs: Query Doctor derives a simple user from QD_SOURCE_OWNER_USER, QD_KRB5_PRINCIPAL, KRB5_PRINCIPAL, or simple principals in QD_KEYTAB. Service principals with / are not accepted for inference. Keytab-derived users are sorted alphabetically, and the first user becomes the default Username selection. |
viewer_identity_header |
string | global | Optional HTTP header name to trust as the authenticated viewer user for shared/D3 web deployments. This is the only Query Doctor D3 application contract: a trusted auth front door authenticates the request, strips inbound copies of that header, and sets exactly one already normalized simple owner value, such as an Active Directory sAMAccountName or Kerberos primary. OIDC/SSO, SAML, SPNEGO/Kerberos, LDAP, MFA, session, logout, and token lifecycle stay at the front door, not inside Query Doctor. Missing, duplicate, UPN/email-style, distinguished-name, group/role-like, opaque-subject, whitespace/display-name, comma-separated, service-principal, or host-principal values are unauthenticated and fail closed for raw source access. |
owner_raw_source_enabled |
boolean | global | Default true. Set false, or pass --disable-owner-raw-source, to disable only the isolated owner-only original source page and Details link. Recent/Running collection owner filters and validated optimizer draft policy keep their existing source_visibility behavior. |
language |
string | global | Global language mode shown in the web header. It controls Help, deterministic Recent Finding body copy, deterministic Details recommendation/explanation body copy, and newly generated trusted report language. Details headings, compact Recent labels, table headers, badges, and technical terms remain English. Supported values: en, ru. Default: en. Existing reports are not regenerated automatically after changing this field. The web header points to this config key without rendering the absolute config path. |
report_llm_provider |
string | global | Report LLM provider: ollama or openai_compatible. |
report_llm_model |
string | global | Report model route name. |
report_llm_base_url |
string URL | global | Non-secret report provider base URL. For external providers, keep tokens in ~/.qdcreds/llm-api.env, not JSON. |
report_llm_chat_path |
string | global | Optional OpenAI-compatible report chat path override. Omit unless your gateway needs a non-standard path. |
optimizer_llm_provider |
string | global | Query LLM optimizer provider: ollama or openai_compatible. |
optimizer_llm_model |
string | global | Query LLM optimizer model route name. optimizer_model remains a legacy alias. |
optimizer_llm_base_url |
string URL | global | Non-secret optimizer provider base URL. For external providers, keep tokens in ~/.qdcreds/llm-api.env, not JSON. |
optimizer_llm_chat_path |
string | global | Optional OpenAI-compatible optimizer chat path override. Omit unless your gateway needs a non-standard path. |
out |
string path | global | Local generated output directory for collector workflows. Do not commit generated output. |
Browser-visible UI and trusted reports must remain raw-free regardless of these
settings. Disabling privacy controls is for private local artifacts only.
source_visibility=owner_raw is not an "unhide everything" switch. It only
narrows Cloudera Manager or direct Impala Recent and Running scans to owner
users and permits the isolated owner-only selected-case source view after a
viewer identity check. On localhost, Query Doctor intentionally treats the
collectable owner users as the local viewer's raw subjects. On non-local binds,
owner_raw requires authenticated viewer identity from viewer_identity_header
behind a trusted proxy/ingress. The header controls only viewer authorization
(C2), not which users the collector may gather as the collection credential
(C1). Query Doctor does not implement native OIDC, SAML, SPNEGO, Kerberos,
LDAP, password, MFA, or session authentication for this path; those mechanisms
must terminate at the front door and produce the same normalized viewer header.
Every isolated owner-raw source page attempt emits a safe server-side audit line
with request id, route source, HTTP status, reason code, viewer mode/source, and
switch state. The audit line must not include SQL, query ids, case ids, query
users, local paths, header values, or secrets.
For shared/non-local deployments, use
owner-raw-d3-deployment.md as the required
deployment checklist before enabling owner_raw; do not expose
viewer_identity_header without a trusted proxy or ingress that strips inbound
copies before setting it.
When the local web wrapper exposes QD_KEYTAB, Query Doctor reads simple
account names from that keytab, sorts them alphabetically, and uses the first
account as the default Username for owner_raw. The keytab path and full
Kerberos principals remain local process data and are not rendered in the
browser.
| Field | Type | Notes |
|---|---|---|
host |
string | Web bind host. Use 127.0.0.1 for normal local operation. |
port |
positive integer | Web bind port. |
web_advanced_settings_enabled |
boolean | Shows the Diagnose Advanced settings disclosure when set to true. Default is hidden. |
web_advanced_filters |
string list | Optional editable filters inside Diagnose Advanced settings. Supported values: user, pool, query_type. When omitted and advanced settings are enabled, user and pool are shown. |
Non-local binds require the explicit web CLI risk flag. They are supported for
shared owner_raw only behind the D3 front-door contract described in
owner-raw-d3-deployment.md; they are not a
general multi-tenant service mode.
Trino local web mode is a bounded local production lane for retained-list Recent diagnosis and
one explicit Query ID. trino_support_mode=beta keeps the existing Trino Beta
label; trino_support_mode=production removes the beta label for the same
bounded raw-free local production surfaces. Recent reads one bounded pruned coordinator
query list after an accepted local query-list source contract, then reads
bounded pruned coordinator QueryInfo payloads through the QueryInfo source
contract for the selected retained rows. One Query ID uses the same bounded
QueryInfo path for one explicit ID. Both paths build raw-free boundaries in
memory and render deterministic compact diagnosis. They do not enable Trino
Running scans, query-history crawling, metadata collection, LLM reports,
Query Optimizer jobs, SQL execution, or generated Trino SQL. They may open the
raw-free Trino Details view, deterministic Python Report, and optimizer guidance
only after the web lane materializes server-owned case artifacts.
Minimal local config shape:
{
"engine": "trino",
"trino_support_mode": "beta",
"trino_coordinator_url": "https://trino-coordinator.example.com",
"trino_query_info_source_contract": "./trino-query-info-contract.json",
"trino_query_list_source_contract": "./trino-query-list-contract.json",
"trino_kerberos_principal": "sa@EXAMPLE.COM",
"trino_krb5_ccname": "FILE:/tmp/krb5cc_query_doctor_trino"
}| Field | Type | Scope | Notes |
|---|---|---|---|
engine |
string | global | Optional default UI engine selection: impala or trino. Browser submits the selected engine explicitly; invalid values are rejected by config validation. |
trino_support_mode |
string | global or cluster | Explicit Trino local mode: off, beta, or production. production uses the same bounded raw-free Recent, One Query ID, materialized Details, Python Report, and optimizer guidance surfaces as local production support and does not enable Running, LLM reports, Query Optimizer jobs, generated SQL, SQL execution, or broader Trino production triage. Public demo mode rejects this setting. |
trino_beta_enabled |
boolean | global or cluster | Legacy beta-only switch for existing local configs. It maps to trino_support_mode=beta when no explicit mode is set and must not be combined with trino_support_mode=production. Public demo mode rejects this setting. |
trino_coordinator_url |
string URL | global or cluster | Trino coordinator base URL used by the bounded pruned QueryInfo and retained query-list readers. Keep it in local config; the browser form does not ask for or render it. |
trino_query_info_source_contract |
string path | global or cluster | Local path to an accepted coordinator_query_info source contract. Required for One Query ID and for fetching facts for selected Trino Recent rows. Relative values resolve from the JSON config file. |
trino_query_list_source_contract |
string path | global or cluster | Local path to an accepted retained coordinator query-list source contract. Required only for Trino Recent. Relative values resolve from the JSON config file. |
trino_auth_header_file |
string path | global or cluster | Optional local file containing one operator-managed Authorization: header line. Store the secret value only in this local file, not in JSON. Relative values resolve from the JSON config file. |
trino_kerberos_principal |
string | global or cluster | Optional local Kerberos/SPNEGO client principal for Trino GET collectors. Do not combine with trino_auth_header_file. |
trino_kerberos_service_name |
string | global or cluster | Optional Kerberos service name for SPNEGO. Defaults to HTTP. |
trino_krb5_ccname |
string | global or cluster | Optional local ticket-cache reference, for example FILE:/tmp/krb5cc_query_doctor_trino. Keep ticket contents out of JSON. |
trino_krb5_config |
string path | global or cluster | Optional local krb5.conf path for the Trino SPNEGO fetcher. Relative values resolve from the JSON config file. |
trino_kerberos_ca_cert |
string path | global or cluster | Optional CA certificate path for the Trino SPNEGO fetcher. Relative values resolve from the JSON config file. |
trino_kerberos_insecure_tls |
boolean | global or cluster | Optional local test-cluster override for the Trino SPNEGO fetcher. Prefer trino_kerberos_ca_cert when possible. |
Cluster entries may carry the same Trino keys when different Trino targets need
separate contracts. The web UI marks configured beta sources as
Trino Beta Recent + One Query ID, Trino Beta Recent, or Trino Beta One Query ID; configured production-mode sources use the same labels without
Beta. The Diagnose Engine control narrows the Source cluster selector to
Impala-capable sources or Trino-ready sources before workflow selection. Forged
or stale Trino submits still fail closed before analysis or async job creation.
The web UI must not render coordinator URLs, auth reference paths/values, raw
QueryInfo, raw query-list payloads, local source-contract paths, or raw SQL.
The standalone query-doctor-trino-metadata-cli-summary command does not add
web config fields. It takes --source-contract, --trino-cli, --server, and
--connector-family explicitly for one local operator run, validates the
metadata allowlist contract, and emits only a sanitized aggregate metadata
summary. It is not wired into Recent, Details, reports, optimizer actions, or
web metadata collection.
| Field | Type | Notes |
|---|---|---|
cm_url |
string URL | Cloudera Manager base URL. Credentials stay in environment variables. |
cluster |
string | Cloudera Manager cluster name. |
service |
string | Impala service name. |
username |
string | Cloudera Manager username. cm_user is accepted as a legacy alias. |
ca_bundle |
string path | PEM CA bundle for verified TLS, often ~/.qdcreds/cm-chain.pem. |
insecure_skip_verify |
boolean | Disables CM TLS verification. Use only for private local diagnostics. |
krb5ccname |
string | Kerberos cache path, for example FILE:/tmp/krb5cc_query_doctor. metadata_krb5ccname is a legacy alias. |
cm_metrics_profile |
string | Cloudera Manager metric compatibility profile, such as cm6 or cm7. |
| Field | Type | Notes |
|---|---|---|
since_hours |
positive integer | Lookback window for collector workflows. |
limit |
positive integer | Maximum profile count for collector workflows. |
min_duration_sec |
non-negative integer | Minimum duration filter. |
max_profile_bytes |
positive integer | Profile text byte cap. |
pool |
string | Optional admission pool filter. |
user |
string | Optional query user filter. |
status |
string | One of succeeded, failed, cancelled, or all. |
query_type |
string | Query type filter, normally QUERY. |
collect_cm_timeseries |
boolean | Collect bounded allowlisted CM time-series summaries. |
cm_timeseries_padding_sec |
non-negative integer | Seconds to pad before and after query time windows. |
max_timeseries_bytes |
positive integer | Maximum bytes per CM time-series response. |
max_timeseries_points |
positive integer | Maximum numeric points to summarize per query. |
| Field | Type | Notes |
|---|---|---|
recent_limit |
positive integer | Maximum query summaries to inspect. |
recent_select |
positive integer | Maximum candidates selected for deeper analysis. |
recent_window_minutes |
positive integer | Lookback window for CLI Recent scans and web Finished-query scans. Large windows can increase load on Cloudera Manager, direct Impala UI endpoints, and optional Prometheus collection; use filters where possible. |
recent_min_duration_sec |
non-negative number | Lower duration bound. |
recent_max_duration_sec |
non-negative number | Upper duration bound. |
recent_order |
string | One of recent, duration-desc, duration-asc, recent-duration-desc, or status-priority. |
recent_output_json |
string path | Optional sanitized recent candidate JSON output path. |
recent_include_failed |
boolean | Include failed queries in candidate selection. |
recent_include_running |
boolean | Include running queries in candidate selection. |
recent_user |
string | Optional recent-query user filter. |
recent_pool |
string | Optional recent-query pool filter. |
recent_scan_timezone |
string | IANA timezone retained for explicit date/hour helper paths. Web Finished-query scans use recent_window_minutes by default. This field can also be set per cluster. |
recent_parallelism |
positive integer | Overall Recent scan worker limit. |
recent_cm_jobs |
positive integer | CM profile/context worker limit. Repeated CM profile HTTP 5xx responses stop new profile submissions and produce a safe summary warning. |
recent_cm_summary_limit |
positive integer | CM summary scan cap. |
recent_profile_analysis_limit |
positive integer | Profile analysis cap. |
recent_metadata_jobs |
positive integer | Metadata refresh worker limit. |
recent_metadata_top_limit |
non-negative integer | Maximum number of top collectable cases eligible for metadata refresh. |
recent_collect_cm_events |
boolean | Collect bounded CM event context when supported. |
recent_cm_events_max_events |
positive integer | Maximum CM events to summarize. |
recent_collect_cm_timeseries |
boolean | Collect bounded CM runtime metrics when supported. |
recent_cm_timeseries_top_limit |
non-negative integer | Number of top cases eligible for CM time-series refresh. |
collect_workload_history / recent_collect_workload_history |
boolean | Opt in to local workload fingerprint baseline history and regression labels. |
workload_history_path / recent_workload_history_path |
string path | Optional local JSONL path for workload history. Defaults to ~/.query-doctor/workload_history.jsonl. |
workload_history_max_bytes / recent_workload_history_max_bytes |
positive integer | Rotate the local workload history file before appending when it exceeds this size. |
In the web Diagnose flow, Minimum duration (sec) is intentionally blank by
default even when recent_min_duration_sec exists in local config. An empty web
field sends no lower-duration filter so long-query and repeated-short workload
patterns remain available; enter a value in the field when you want the web scan
to narrow to longer-running queries.
Recent and Running web workflows do not auto-run LLM reports or optimizer jobs.
The default Diagnose form keeps source, scan target, time window, duration, and
required owner filters in the browser. Optional recent_user, recent_pool,
and query_type filters can remain config defaults, or can be made editable by
setting web_advanced_settings_enabled=true and web_advanced_filters.
Worker-count settings such as recent_parallelism and recent_metadata_jobs
are intended as local config defaults or explicit request overrides, not normal
per-scan browser choices.
| Field | Type | Scope | Notes |
|---|---|---|---|
corpus_dir |
string path | global | Optional output directory for web-collected or web-staged Query ID cases. query-doctor-web --corpus-dir overrides this config value. Relative config values resolve from the config file; relative CLI values resolve from the current directory. Defaults to cases/cm-corpus under the directory where query-doctor-web starts. When it already contains complete query-doctor-analyze --profile-text cases, the web UI can start without CM settings or default local config discovery and render those staged exported profiles automatically. |
manual_profile_dir |
string path | global or cluster | Optional local directory of exported Apache Impala text profiles for Known Query ID analysis. Name each file with the Query ID slug, for example <query-id-slug>.txt after replacing the Query ID separator with _. The web UI stages matching files through the existing manual-profile analyzer path and does not upload raw profile text through the browser. If the file contains an embedded Query ID for a different query, staging fails closed before replacing any existing case. |
manual_profile_dir is a local-first fallback for one exported profile. It
does not enable Recent scans, Running scans, Cloudera Manager metrics/events,
direct impalad collection, metadata collection, report generation, or optimizer
actions by itself. When it is the only configured source, Known Query ID fails
closed if the matching profile file is absent instead of falling back to live
collection.
Minimal manual-only web config:
{
"manual_profile_dir": "./profile-inbox",
"corpus_dir": "./query-doctor-cases",
"no_llm": true
}| Field | Type | Scope | Notes |
|---|---|---|---|
cluster_type / query_profile_source |
string | global or cluster | cm or impala. Prefer cluster_type in user configs; query_profile_source remains the internal/legacy name. Use impala for direct daemon endpoints. |
impala_profile_hosts |
string list | global or cluster | One or more impalad debug web hosts or host:port values. |
impala_profile_port |
positive integer | global or cluster | Default daemon web port for hosts without a port. |
impala_profile_scheme |
string | global or cluster | http or https. |
impala_profile_timeout_sec |
positive integer | global or cluster | Per-request timeout. |
impala_profile_prefer_json |
boolean | global or cluster | Optional compatibility probe. When true, direct Impala collection tries a JSON profile endpoint first and falls back to text endpoints for older Impala versions. Default is false. |
impala_profile_collect_docs |
boolean | global or cluster | Optional /profile_docs/?json counter-stability probe with /profile_docs HTML fallback. When true, direct Impala collection writes a safe allowlisted counter registry context when the endpoint is available as JSON-style docs or a Web UI HTML table. Missing endpoints are non-fatal. Default is false. |
impala_collect_admission_context |
boolean | global or cluster | Optional /admission?json aggregate pool-context probe. When true, direct Impala collection writes only bounded safe summaries such as queue presence, queue-time bucket, pool pressure, and freshness. Missing endpoints are non-fatal. Default is false. |
impala_kerberos_service_name |
string | global or cluster | Kerberos service token, such as impala or hive. |
Impala completed profile log files are separate from the online coordinator
query log used by /queries and /profile. Query Doctor does not currently
read profile_log_dir, pod filesystems, node filesystems, Loki, OpenSearch, or
other external history indexes for direct Recent scans. A future profile-log or
external-history ingestion path must be operator-configured, read-only,
allowlisted, byte-bounded, time-window-bounded, and raw-free at the
browser/report boundary. It must not let the web UI run ssh, kubectl exec,
kubectl cp, arbitrary filesystem reads, arbitrary log-index queries, or
credential entry against Impala nodes, pods, or external stores.
| Field | Type | Scope | Notes |
|---|---|---|---|
collect_prometheus_timeseries |
boolean | global or cluster | Enables bounded Prometheus runtime metric summaries for direct Impala workflows. |
prometheus_url |
string URL | global or cluster | Prometheus base URL. Do not include credentials, query parameters, or fragments. |
prometheus_metrics_profile |
string | global or cluster | Metrics compatibility profile, such as ambari-hadoop. |
prometheus_step_sec |
positive integer | global or cluster | Query step in seconds. |
prometheus_timeseries_padding_sec |
non-negative integer | global or cluster | Seconds to pad around query windows. |
Prometheus collection uses allowlisted PromQL and writes summarized facts only. It does not write raw time-series responses or labels. Treat Prometheus host-level metrics as shared runtime context when multiple Impala deployments can run on the same hosts; Query Doctor only strengthens runtime hypotheses when selected-query profile evidence correlates the signal.
| Field | Type | Scope | Notes |
|---|---|---|---|
metadata_coordinator |
string | global or cluster | Impala coordinator HOST:PORT. |
metadata_impala_shell |
string path | global or cluster | impala-shell executable. |
metadata_auth |
string | global or cluster | Only kerberos is supported. |
metadata_protocol |
string | global or cluster | beeswax, hs2, or hs2-http. |
metadata_ssl |
boolean | global or cluster | Enables TLS for impala-shell. |
metadata_ca_cert |
string path | global or cluster | CA certificate for metadata TLS. |
metadata_kerberos_service_name |
string | global or cluster | Kerberos service token for metadata, such as impala or hive. |
metadata_kerberos_host_fqdn |
string | global or cluster | Optional Kerberos host override for load-balanced metadata coordinators. Passed to impala-shell --kerberos_host_fqdn. |
metadata_timeout_sec |
positive integer | global or cluster | Optional per-command timeout override. Omit to use the built-in default. |
metadata_max_tables |
positive integer | global or cluster | Optional maximum tables override for each metadata run. Omit to use the workflow default. |
metadata_max_output_bytes |
positive integer | global or cluster | Optional metadata output byte limit override. Omit to use the built-in default. |
metadata_redact |
boolean | global or cluster | Redacts metadata output before artifacts are written. |
Metadata collection is read-only, allowlisted, bounded, explicit, and redacted. Default metadata limits are intentionally omitted from the example config; add these fields only when a local environment needs different bounds.
The config loader rejects:
- unknown fields;
- duplicate canonical aliases, such as both
usernameandcm_user; - secret-looking keys such as
password,token,secret, orauthorization; - Prometheus URLs that include credentials, query parameters, or fragments;
- invalid enum values and invalid integer/boolean types.
This fail-closed behavior is intentional. A typo in local config should stop startup instead of silently changing collection scope.