Okera Configuration Parameter Reference¶

The following table describes the configuration parameters you can use in Okera's configuration file.

Parameter	Description
`APPLY_INVERSE_MAP_ON_WRITE`	Indicates whether the cluster should invert the bucket names when a write is attempted on a follower cluster in an active/active environment. Valid values are `true`(bucket names are inverted) or `false`(bucket names are not inverted). Follower clusters should always set this to `true`; primary clusters should always set this to `false`. There is no default.
`AUDIT_LOGS_SYNC_FREQUENCY_MINS`	Defines the frequency at which Okera synchronizes audit logs. Valid values range from 1 minute to 180 minutes (3 hours). When not specified, the default is 30 minutes. If you specify a value larger than 180 minutes, Okera defaults to 180 minutes.
`AUTOTAGGER_CONFIGURATION`	Specifies the JSON file that contains autotagging rules for Okera. The valid setting for this is the path to a JSON file that contains the rules for autotagging. Okera is distributed with an autotagging JSON file automatically at `/opt/okera/data/autotagger-config-wellknowns.json`.
`AWS_USE_IMDS_V2`	Enables or disables the use of AWS Instance Metadata Service version 2 (IMDSv2). Valid values are `true` (enable use of IMDSv2) or `false` (disable use of IMDSv2). The default is `false`. If IMDSv2 is enabled, the EC2 instance metadata option `HttpPutResponseHopLimit` must be greater than `1`.
`BLOCK_WEB_UI_FOR_MOBILE_CLIENTS`	Enables or disables blocking of the Okera UI on mobile devices and tablets. Valid values for this parameter are `true` (the UI is blocked on mobile devices and tablets) and `false` (the UI is not blocked on mobile devices and tablets). The default is `false`.
`BUCKET_TO_ROLE_MAP_FILE`	Specifies the path to the file that should be used for Amazon S3 assume secondary role support.
`CATALOG_ADMINS`	Defines a list of Okera system administrators. Specify the Okera user names in a comma-separated list and specify the list (if there is more than one administrator) in quotes. In this example, users `jane` and `mike` are defined as system administrators: `CATALOG_ADMINS: "jane,mike"`. By default, user `admin` is always a system administrator.
`CATALOG_DB_CLIENT_CERT`	If you are using mutual, or two-way authentication, this parameter specifies the TLS certificate for the MySQL database client used for Okera metadata storage. This parameter is only needed for TLS support.
`CATALOG_DB_CLIENT_CERT_KEY`	If you are using mutual, or two-way authentication, this parameter specifies the private key for the MySQL client TLS certificate. This parameter is only needed for TLS support.
`CATALOG_DB_CONN_PARAMS`	Specifies optional parameters for the Okera database URL specified in the `CATALOG_DB_URL` parameter. Valid Postgres parameters are described in the Postgres documentation. Valid MySQL parameters are described in the MySQL documentation.
`CATALOG_DB_ENGINE`	Defines the Hive metastore (HMS) database engine type. Valid values are `mysql` and `postgres`. For example, `CATALOG_DB_ENGINE: mysql` or `CATALOG_DB_ENGINE: postgres`.
`CATALOG_DB_HMS_DB`	Defines the name of an existing Hive metastore (HMS) database for use with Okera. Okera will use the existing HMS objects in the HMS. See Database Configuration.
`CATALOG_DB_OKERA_DB`	Defines the name of an existing database in the Okera Hive metastore where Okera stores metadata. See Database Configuration.
`CATALOG_DB_PASSWORD`	Defines the password, preferably using secrets, for the HMS database. Okera does not recommend specifying plain text passwords in configuration files.
`CATALOG_DB_SENTRY_DB`	Defines the name of an existing Sentry database in the Okera Hive metastore where Okera stores metadata. Okera requires read and write access to this database. See Database Configuration.
`CATALOG_DB_SERVER_CERT`	Specifies the SSL/TLS certificate for the MySQL or Postgres database server used to store Okera metadata.
`CATALOG_DB_SSL`	Indicates whether SSL or TLS support is enabled for the MySQL or Postgres database used for Okera metadata storage. Set this parameter to `"true"` to enable configurable SSL or TLS support or `false` to disable SSL or TLS support. The default value is `"false"`.
`CATALOG_DB_URL`	Defines the URL to your Okera Hive metastore.
`CATALOG_DB_USER`	Defines the user name that should be used to access you Okera Hive metastore.
`CATALOG_DB_USERS_DB`	Defines the name of an existing database in the Okera Hive metastore where Okera stores metadata. See Database Configuration.
`CLUSTER_LABEL`	Specifies a label name for the Okera cluster. For example, `CLUSTER_LABEL: dev`.
`CLUSTER_NAME`	Specifies a name for the Okera cluster. For example, `CLUSTER_NAME: Dev Cluster`.
`CUSTOM_GROUP_RESOLVERS`	For example, `CUSTOM_GROUP_RESOLVERS: <java-path1>, <java-path2>`.
`DELTA_TABLE_NATIVE_SUPPORT`	Selects the type of Delta Lake table support for the entire Okera cluster. Valid values for this parameter are `true` (use native support) and `false` (use the original manifest-required support). The default is `false`.
`ENABLE_DENY`	One of three configuration properties that must be set to `true` to enable safeguard policy functionality in Okera. Valid values are `true` and `false`. The default is `false`.
`ENABLE_HMS_2_SCHEMA`	Enables and disables use of the HMS v2 schema. Valid values are `true` (use the HMSv2 schema) and `false` (use the HMS v1 schema). The default is `false`.
`ENABLE_LEGACY_URI_CHECKS`	Enables and disables the ALL grant requirement for the `CREATE TABLE` and `ALTER TABLE SET LOCATION` statements. Valid values are `true` (require an ALL grant) and `false` (do not require an ALL grant). The default is `false`.
`ENABLE_PARAMETRIZED_GRANTS`	Enables and disables the ability to reference dynamic parameters in URI, database, and table grants. Valid values are `true` (you can reference dynamic parameters) and `false` (you cannot reference dynamic parameters). The default is `false`.
`ENABLE_PARAMETRIZED_URI_GRANTS`	Enables and disables the ability to reference dynamic parameters in a URI when doing a permission grant. Valid values are `true` (you can reference dynamic parameters) and `false` (you cannot reference dynamic parameters). The default is `false`.
`ENABLE_POLICY_PROPERTIES`	One of three configuration properties that must be set to `true` to enable safeguard policy functionality in Okera. Valid values are `true` and `false`. The default is `false`.
`ENABLE_ROLE_PROPERTIES`	One of three configuration properties that must be set to `true` to enable safeguard policy functionality in Okera. Valid values are `true` and `false`. The default is `false`.
`ENABLE_TASK_ENCRYPTION`	Enables nScale task encryption. Valid values are `true` and `false`. When this is set to `true` and the `TASK_ENCRYPTION_KEY` configuration parameter is not specified, Okera attempts to use the `JWT_PRIVATE_KEY` configuration parameter setting, if it is specified. If neither are specified, an error occurs. See Configuration File Encryption Settings for nScale.
`ENABLE_USERS_FILE`	Enables and disables the use of a user's file. This parameter is reserved for use by Okera for demos and should not be used in customer production environments. Valid values are `true` and `false`. The default is `false`.
`EXTERNAL_OKERA_SECURE_POLICY_DB`	Specifies the database in which Okera's supplied user-defined functions (UDFs) are stored. If this parameter is not specified, the default `OKERA_UDFS` is used.
`EXTERNAL_OKERA_SECURE_POLICY_SCHEMA`	Specifies the schema in which Okera's supplied user-defined functions (UDFs) are stored. If this parameter is not specified, the default `PUBLIC` is used.
`GO_ACCESS_PROXY_CACHE_LOG_PERIOD`	Defines the period, in seconds, at which OkeraEnsemble logs assumed role credential cache statistics. The default is `0` (zero) seconds, which disables logging. When this parameter is set to any value greater than zero, logging occurs at the time intervals specified by this parameter.
`GROUP_RESOLUTION_GOOGLE_APPLICATION_CREDENTIALS`	Provides the fully qualified path to a credentials JSON file for a GCP service account with appropriate admin privileges. The path can be a container path (the JSON file is mounted to the container by Kubernetes), an Amazon S3 (`s3:`) path, or an ADLS (`adl:`) path. This configuration parameter is used in conjunction with the `GSUITE_GROUP_ADMIN_EMAIL` and `GROUP_RESOLVER_SCRIPTS` configuration settings to provide group resolution in Google Cloud Platform (GCP) environments. See Sample GCP Group Resolution Script.
`GROUP_RESOLVER_LDAP_BASE_DN`	Specifies the base distinguised name (DN) to use for LDAP group resolution, if the username appears in the DN.
`GROUP_RESOLVER_LDAP_GROUP_BASE_DN`	Specifies the base DN (distinguished name) for groups during group resolution. The LDAP server will use this base DN in its group searches during authentication processing.
`GROUP_RESOLVER_LDAP_GROUP_SEARCH_FILTER`	Specifies the group search filter used to limit LDAP queries to only return group-type objects during LDAP group resolution.
`GROUP_RESOLVER_LDAP_HOST`	Specifies the URL for the LDAP server to use for group resolution.
`GROUP_RESOLVER_LDAP_MEMBER_FIELD_NAME`	Specifies an LDAP user name to limit the search to only groups in which the user is a member.
`GROUP_RESOLVER_LDAP_PASSWORD`	Specifies the service account password used for LDAP group resolution. The LDAP username and password can be specified as clear text (plaintext). However, Okera discourages the use of clear text. Okera recommends, instead, the use of secret files with the Okera configuration parameters set to the paths to secret files.
`GROUP_RESOLVER_LDAP_PORT`	Specifies the port number of the LDAP server to use for group resolution. Port values are typically `389` (non-SSL connections) or `636` (SSL connections).
`GROUP_RESOLVER_LDAP_USE_SSL`	Enables and disables SSL use for LDAP group resolution. Valid values are `true` (enable SSL) and `false` (disable SSL).
`GROUP_RESOLVER_LDAP_USER_BASE_DN`	Specifies the base DN (distinguished name) for users during group resolution. The LDAP server will use this base DN in its user searches during authentication processing.
`GROUP_RESOLVER_LDAP_USER_SEARCH_FILTER`	Specifies the user search filter used to limit LDAP queries to only return group-type objects during LDAP group resolution.
`GROUP_RESOLVER_LDAP_USER`	Specifies the service account username used for LDAP group resolution. The LDAP username and password can be specified as clear text (plaintext). However, Okera discourages the use of clear text. Okera recommends, instead, the use of secret files with the Okera configuration parameters set to the paths to secret files.
`GROUP_RESOLVER_SCRIPTS`	Specifies the paths to the group resolver scripts. Paths can be a local file, an Amazon S3 path, or an ADLS path. See Custom Script-Sourced Group Resolution.
`GSUITE_GROUP_ADMIN_EMAIL`	Provides the email of a GCP user with appropriate administrative privileges. This configuration parameter is used in conjunction with the `GROUP_RESOLUTION_GOOGLE_APPLICATION_CREDENTIALS` and `GROUP_RESOLVER_SCRIPTS` configuration settings to provide group resolution in Google Cloud Platform (GCP) environments. See Sample GCP Group Resolution Script.
`INIT_WITH_GRANT_OPTION`	Controls whether the supplied `admin_role` in Okera has the `WITH GRANT OPTION` or not. Valid values are `true` (the `admin_role` has the `WITH GRANT OPTION`) and `false` (the `admin_role` does not have the `WITH GRANT OPTION`). The default is `false`. If the `admin_role` is not assigned the `WITH GRANT OPTION`, Okera admins cannot edit permissions in Okera.
`IS_FOLLOWER`	Indicates whether the cluster is a follower cluster in an active/active environment. Valid values are `true` (it is a follower cluster) and `false` (it is not a follower cluster). There is no default.
`JDBC_LOAD_DEFINITION_ABORT_ON_ERROR`	Indicates whether dataset registration should fail when an error occurs and you are registering multiple datasets. Valid values are `true` (abort dataset registration) and `false` (do not abort dataset registration). The default is `true`. (The number of tables added/skipped/failed can be determined by reviewing the `okera.jdbc.tables-XXX` properties on the database.)
`JWT_ALGORITHM`	Specifies the algorithm used by JWT. Valid values are `RSA256` and `RSA512`. `RSA512` is the default. You can specify multiple, comma-separated values, just as with `JWT_PUBLIC_KEY`. The order of the values must match the order specified for the corresponding `JWT_PUBLIC_KEY`. See Public and Private Key Validation.
`JWT_AUTHENTICATION_SERVER_URL`	Specifies the JWT URL for remote endpoint validation. See Remote Endpoint Validation.
`JWT_JWKS_URL`	Specifies the URL of your OAuth identity provider (for example Okta, Auth0, or AzureAD). Okera uses this to dynamically fetch the appropriate public key needed for OAuth authentication.
`JWT_PRIVATE_KEY`	Specifies the path to the private key used to encode Okera-generated JWTs. Private keys should not be specified as multiple, comma-separated values. See Public and Private Key Validation.
`JWT_PUBLIC_KEY`	Specifies the path to the public key used to decode JWTs. You can specify multiple, comma-separated JWT public keys. When used to decode an incoming token, they are attempted in the order specified. See Public and Private Key Validation.
`LDAP_BASE_DN`	Specifies the base distinguised name (DN) to use for LDAP authentication, if the username appears in the DN.
`LDAP_BIND_TEMPLATE`	Specifies the bind template that should be used for LDAP authentication. For example, `cn=%s,ou=users,dc=company,dc=com`.
`LDAP_DOMAIN`	Specifies the LDAP domain to use for LDAP authentication. Specifying `LDAP_BIND_TEMPLATE` and `LDAP_BASE_DN` is preferable to specifying `LDAP_DOMAIN`.
`LDAP_HOST`	The URL for the LDAP server to use for LDAP authentication.
`LDAP_PORT`	The port number of the LDAP server. Port values are typically `389` (non-SSL connections) or `636` (SSL connections).
`LDAP_USE_SSL`	Enables and disables SSL use for LDAP authentication. Valid values are `true` (enable SSL) and `false` (disable SSL).
`LDAP_USER_QUERY_PASSWORD`	Specifies the user query service password used by Okera for LDAP authentication.
`MAINTENANCE_TASKS_THREAD_LIMIT`	Specifies the maximum number of Okera background tasks that can run concurrently. Valid values are positive integers. The default is `1`. If you need to set this value higher than `8`, please contact Okera technical support.
`MAX_REQUEST_SIZE_BYTES`	Specifies the byte size limit above which queries are rejected. The default value is `52751601` bytes, which is approximately 52MB.
`OAUTH_PROVIDER`	Required if you are using Google OAuth as your authorization provider. This parameter is not required for any other authorization provider. The only valid value is `google`. For example, `OAUTH_PROVIDER: google`.
`OAUTH_SCOPES`	Specifies a list of scopes that determines which information the OAuth service provider will allow the user to access once the token is obtained. For example, `OAUTH_SCOPES: openid profile email api://<xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx>/okera/okera_auth_scope`.
`OAUTH_SECRETS`	Specifies the location of your OAuth secrets file. For example,`OAUTH_SECRETS: file:///etc/okera/client_secrets.json`.
`OKERA_ALLOW_IMPERSONATION`	Enables and disables Presto user impersonation. Valid values are `true` (enable Presto user impersonation) and `false` (disable Presto user impersonation). The default is `false`.
`OKERA_ALLOWED_DELEGATION_USERS`	A comma-separated list of usernames allowed to impersonate other users. See Presto User Impersonation. There is no default.
`OKERA_ASSUME_ROLE_DURATION_SECONDS`	Determines the duration, in seconds, that assumed role credentials are valid. For OkeraEnsemble access proxy processing, this default is `3600` seconds. For regular Amazon S3 processing, the default is `900` seconds.
`OKERA_CTE_REWRITE_ENABLED_ENGINES`	Identifies the Okera connection types that should use proxy pushdown processing. Use commas to separate values. Valid values are `awsathena`, `bigquery`, `dremio:direct`, `mysql`, `oracle:thin`, `postgresql`,`redshift`, and `sqlserver`. For example, `OKERA_CTE_REWRITE_ENABLED_ENGINES: awsathena,bigquery,postresql`.
`OKERA_GLUE_SILENCE_TBL_PAGINATOR_500`	Enables and disables Okera's silencing of unknown Glue errors that can affect the dataset counts on the Data page in the Okera UI. Valid values are `true` (silence the errors) and `false` (don't silence the errors). The default is `false`. You only need to set this configuration parameter if you notice that the dataset counts on the Data page are not populated correctly in your Glue environment.
`OKERA_LEGACY_TOKEN_ESCAPE`	Enables or disables token escape processing in Okera when the token is included as a query argument in the URL. Valid values are `true` (enables token escape processing) and `false` (disable token escape processing). The default is `false`.
`OKERA_SCRIPTS_DIR`	Specifies the location of the Okera allowed scripts directory. By default, this is `/opt/scripts`. Okera will only run scripts from its allowed scripts directory. It automatically makes the scripts specified in the `USER_ATTRIBUTES_SCRIPT` and `GROUP_RESOLVER_SCRIPTS` configuration parameters available in this directory, with the right permissions. See Custom Script User Attributes and Custom Script-Sourced Group Resolution.
`OKERA_SECRET_PREFIX`	Specifies any prefix string you want that will help you identify that a secret is generated and used by Okera. The prefix is appended in the string for the secrets file name. There is no default. This parameter is required if you use plaintext credentials in your connection definitions.
`OKERA_SECRET_STORE`	Specifies the type of secrets manager (AWS, Azure, or GCP) or Kubernetes path used to store the generated secret files. Valid values are `AWSSM` (AWS Secrets Manager), `AWSPS` (AWS Parameter Store), `AZUREKV` (Azure Key Vault), `FILE` (the Kubernetes path), or `GCPSM` (GCP Secret Manager). This parameter is required if you use plaintext credentials in your connection definitions.
`OKERA_STAGING_DIR`	Specifies the path to the storage location for Okera audit logs.
`OKERA_SYSTEM_IAM_ROLE_ARN`	Specifies the IAM Amazon Resource Name (ARN) associated with the Okera cluster for use by OkeraEnsemble when it is deployed in nScale mode. See OkeraEnsemble nScale Mode Deployment in Amazon EMR Environments
`PATH_PREFIX_MAP_FILE`	Identifies the location of the mapping file for the cluster in an active/active environment.
`PLANNER_API`	Specifies the Okera Policy Engine (planner) API port. The default is `12050`. This port is required for all clients to access metadata and data.
`podCidr`	Used for the Kubernetes cluster, this parameter specifies the pod IP address block of the CIDR blocks used for internal communication in Okera. For example, `podCidr: "172.23.0.0/16"`. The CIDR blocks should not overlap with CIDR blocks currently being used, including the VPC. For example, these changes should not be within the VPC range.
`POLICY_SYNC_INTERVAL`	Specifies how often Okera synchronizes Okera policies with Snowflake during process synchronization. Values are specified as a combination of a number and a one or two-letter code that represent the units. Valid unit codes are `ns` (nanoseconds), `us` (microseconds), `ms` (milliseconds), `s` (seconds), `m` (minutes), and `h` (hours). For example, `1h` is one hour and `5000ms` is 5000 milliseconds. The default is `30m` (30 minutes).
`POLICY_SYNC_ROLE_PATTERN`	Specifies the Snowflake role pattern that Okera should use when syncing Okera policies. The default is `OKERA_%s`, where `%s` is replaced by the user name. Note: The specified role pattern must not match the Okera service role name (default `SERVICE_OKERA_ROLE`).
`POLICY_SYNC_SCHEDULER_ENABLED`	Enables and disables Okera policy synchronization with Snowflake. Valid values are `true` (enable policy synchronization) and `false` (disable policy synchronization). The default is `false`.
`POLICY_SYNC_USERS_ALLOWED_LIST`	Specifies the users for whom Okera policies should be synced. Valid values for this parameter are either a list of Snowflake users or a Snowflake tag and value (Snowflake users with the tag set to the value will be synced). These are the users for whom Okera manages the Snowflake connection. If no list or tag is specified, all Snowflake users are synced.
`portRange`	Used for the Kubernetes cluster, this parameter specifies the port range of the CIDR blocks used for internal communication in Okera. For example, `portRange: "1025-65535"`. The CIDR blocks should not overlap with CIDR blocks currently being used, including the VPC. For example, these changes should not be within the VPC range.
`PRESTO_API`	Specifies the port to access the Presto API endpoint for users connecting via JDBC. The default is `14050`.
`PRESTO_ENABLE_PROXY`	Enables and disables Okera proxy mode. Valid values are `true` (enable proxy mode) and `false` (disable proxy mode). The default is `true`.
`PRESTO_ENABLE_QUERY_LOGGING`	Enables and disables Presto query logging. Valid values for this new configuration parameter are `true` (enable Presto query logging) and `false` (disable Presto query logging). The default is `false`.
`PRESTO_HTTP_CLIENT_MAX_CONNECTIONS_PER_SERVER`	Customizes the Presto configuration property (`http-client.max-connections-per-server`) that controls the maximum number of concurrent connections for a server. If this parameter is not specified, the values specified in your Presto environment are used (usually 20 for this parameter).
`PRESTO_HTTP_CLIENT_MAX_REQUESTS_QUEUED_PER_SERVER`	Customizes the Presto configuration property (`http-client.max-requests-queued-per-destination`) that controls the maximum number of requests queued per destination. If this parameter is not specified, the values specified in your Presto environment are used (usually 1024 for this parameter).
`PRESTO_PROXY_DEBUG_ENABLED`	Enables and disables proxy debugging. Valid values are `true` (enable debugging) and `false` (disable debugging). The default is `true`.
`PRESTO_PROXY_JDBC_PUSHDOWN`	Enables and disables pushdown processing for JDBC-based connections. Valid values are `true` (enable pushdown processin) and `false` (disable pushdown processing). The default is `true`.
`PRESTO_RESOURCE_GROUP_FILE_LOCATION`	Identifies the location of a JSON file that contains the Presto resource group definition. Information about the contents of this file can be found in Resource Groups.
`PRESTO_SHOULD_USE_RESOURCE_GROUPS`	Enables or disables the file-based configuration manager for Presto. Valid values are `true`(enable the file-based configuration manager) and `false` (disable the file-based configuration manager). The default is `false`.
`REST`	Specifies the Okera UI/REST port. The default is `8083`.
`REST_SERVER_ENABLE_ACCESS_PROXY`	Enables or disables the OkeraEnsemble Amazon S3 access proxy. Valid values are `true` (enable the access proxy) and `false` (disable the access proxy).
`RESTRICTED_UDFS`	Restricts the use of Okera privacy functions and user-defined functions (UDFs) to Okera administrators only. Valid values for this parameter are a comma-separated list of function names. Use of any functions listed in the parameter require administrator privileges.
`REST_SERVER_LOG_LEVEL`	Specifies the message logging level for the REST server log. Valid values are `DEBUG`, `INFO`, `WARNING`, `ERROR`, and `CRITICAL`. The default is `DEBUG`.
`RS_ARGS`	Specifies various configuration options. See RS_ARGS Options.
`serviceCidr`	Used for the Kubernetes cluster, this parameter specifies the IP address range for the service network CIDR blocks used for internal communication in Okera. For example, `serviceCidr: "172.34.0.0/16"`. The CIDR blocks should not overlap with CIDR blocks currently being used, including the VPC. For example, these changes should not be within the VPC range.
`SENTRY_BACKGROUND_LOAD_THREADS`	Overrides the background in-parallel load default of `2` for active/active deployments. Specify the number of roles that should be loaded in parallel in the background of an active/active environment.
`SENTRY_INITIAL_LOAD_THREADS`	Overrides the initial in-parallel load default of `12` for active/active deployments. Specify the number of roles that should be loaded in parallel when an active/active environment is initially started.
`SIGNED_URL_EXPIRY_TIMEOUT_SECS`	Specifies the number of seconds for which presigned URLs in an nScale task are valid. If this time expires before the task completes, errors occur. The default is 7200 seconds (120 minutes).
`SKIP_OBJECT_CHECKS_ON_GRANT`	Enables or disables the ability to enable grants for a nonexistent database or table object. Valid values are `true` (enable the ability to enable grants for a nonexistent database or table object) and `false` (disable the ability to enable grants for a nonexistent database or table object). The default is `false`.
`SSL_CERTIFICATE_FILE`	Specifies the path to the SSL certificates file.
`SSL_KEY_FILE`	Specifies the path to the SSL key file.
`SYSTEM_DB_CONNECTION_URL_SUFFIX`	This configuration parameter is a global Aurora RDS setting that enables Aurora RDS to perform write forwarding. It must always be set on follower clusters in an active/active environment. The only valid value is `sessionVariables=aurora_replica_read_consistency='session'`.
`SYSTEM_TOKEN`	Specifies the path to the JWT system token used for interservice communication. The JWT system token has a sub of `okera` and groups of `root`. See System Token.
SYSTEM_TOKEN``SYSTEM_TOKEN_DURATION_MIN	Specifies the duration, in minutes, of the JWT system token. Valid values are positive integers. The default value is equivalent to one day (1440 minutes).
`TASK_ENCRYPTION_KEY`	Specifies the path of the file containing the encryption and decryption key for nScale. See Configuration File Encryption Settings for nScale.
`TRANSFORM_UDF_PRIORITIES`	Specifies the priority order of transformation functions in Okera. Values for this property are the transformation function names, specified in sequence, and separated by commas. See Prioritization of Transformations.
`TZ`	Specifies your time zone. For example, `TZ: "America/New_York"`.
`UI_TIMEOUT_MS`	Specifies the number of milliseconds the UI will wait before cancelling requests. The maximum value is `60000` milliseconds (or 60 seconds). The default is `30000` milliseconds (30 seconds).
`USER_ATTRIBUTES_SCRIPT`	Specifies the paths to the user attribute scripts. Paths must be a local file. See Custom Script User Attributes.
`USERS_FILE_LDAP`	Specifes the path to a JSON user's file. This parameter is reserved for use by Okera for demos and should not be used in customer production environments.
`WATCHER_AUDIT_LOG_DST_DIR`	Specifies the path or URL to ADLS or Google Cloud storage where Okera audit logs will be stored. For example, `WATCHER_AUDIT_LOG_DST_DIR: s3://company/okera/logs/audit`.
`WATCHER_LOG_DST_DIR`	Specifies the path or URL to ADLS or Google Cloud storage where Okera operational logs will be stored. For example, `WATCHER_LOG_DST_DIR: s3://company/okera/logs`.
`WATCHER_LOG_PARTITIONED_UPLOADS`	Enables and disables Okera partitioned operational log uploads. Valid values are `true` (enable partitioned operational log uploads) and `false` (disable partitioned operational log uploads). The default is `false`.
`WATCHER_S3_ENCRYPT`	Enables and disables Okera audit log encryption. Valid values are `true` (enable encryptions) and `false` (disable encryption). The default is `true`.
`WATCHER_S3_REGION`	Specifies the geographical region for logging. For example, `WATCHER_S3_REGION: us-east-1`.
`WORKER_API`	Specifies the Okera Enforcement Fleet worker API port. The default is `13050`. This port is required for all clients to access metadata and data.