Configuring Impala Web UI

As an administrator, you can diagnose issues with each daemon on a particular host, or perform other administrative actions such as cancelling a running query from the built-in web server's UI. The built-in web server is inlcuded within each of the Impala-related daemons. By default, these web servers are enabled. You can turn them off in a high-security configuration where it is not appropriate for users to have access to this kind of monitoring information through a web interface.

Enabling and Disabling Access to Impala Web Servers

By default, these web servers are enabled. You might turn them off in a high-security configuration where it is not appropriate for users to have access to this kind of monitoring information through a web interface.

To enable or disable Impala Web Servers for Web UI in Cloudera Manager:

  • Impala Daemon
    1. Navigate to Clusters > Impala Service > Configuration.
    2. Select Scope > Impala Daemon .
    3. Select Category > Ports and Addresses.
    4. Select or clear Enable Impala Daemon Web Server.
    5. Click Save Changes, and restart the Impala service.
  • Impala StateStore
    1. Navigate to Clusters > Impala Service > Configuration.
    2. Select Scope > Impala StateStore.
    3. Select Category > Main.
    4. Select or clear Enable StateStore Web Server.
    5. Click Save Changes, and restart the Impala service.
  • Impala Catalog Server
    1. Navigate to Clusters > Impala Service > Configuration.
    2. Select Scope > Impala Catalog Server.
    3. Select Category > Main.
    4. Check or clear Enable Catalog Server Web Server.
    5. Click Save Changes, and restart the Impala service.

Configuring Secure Access for Impala Web Servers

Cloudera Manager supports two methods of authentication for secure access to the Impala Catalog Server, Impala Daemon, and StateStore web servers: password-based authentication and SPNEGO authentication.

Authentication for the three types of daemons can be configured independently.

Configuring Password Authentication

  1. Navigate to Clusters > Impala Service > Configuration.
  2. Search for "password" using the Search box in the Configuration tab. This should display the password-related properties (Username and Password properties) for the Impala Daemon, StateStore, and Catalog Server. If there are multiple role groups configured for Impala Daemon instances, the search should display all of them.
  3. Enter a username and password into these fields.
  4. Click Save Changes, and restart the Impala service.

Now when you access the Web UI for the Impala Daemon, StateStore, or Catalog Server, you are asked to log in before access is granted.

Enabling Kerberos HTTP SPNEGO Authentication for Web UI

To provide security through Kerberos, Impala Web UIs support SPNEGO. SPNEGO is a protocol for securing HTTP requests with Kerberos by passing negotiation tokens through HTTP headers.

To enable authorization using SPNEGO in Cloudera Manager:

  1. Navigate to Clusters > Impala Service > Configuration.
  2. Select Scope > Impala 1 (Service-Wid).
  3. Select the Enable Kerberos Authentication for HTTP Web-Consoles field.

    This setting is effective only Kerberos is enabled for the HDFS service.

  4. Click Save Changes, and restart the Impala service.

Configuring TLS/SSL for Web UI

  1. Create or obtain an TLS/SSL certificate.
  2. Place the certificate, in .pem format, on the hosts where the Impala Catalog Server and StateStore are running, and on each host where an Impala Daemon is running. It can be placed in any location (path) you choose. If all the Impala Daemons are members of the same role group, then the .pem file must have the same path on every host.
  3. Navigate to Clusters > Impala Service > Configuration.
  4. Search for "certificate" using the Search box in the Configuration tab. This should display the certificate file location properties for the Impala Catalog Server, Impala Daemon, and StateStore. If there are multiple role groups configured for Impala Daemon instances, the search should display all of them.
  5. In the property fields, enter the full path name to the certificate file, the private key file path, and the password for the private key file..
  6. Click Save Changes, and restart the Impala service.

When you access the Web UI for the Impala Catalog Server, Impala Daemon, and StateStore, https will be used.

Opening Impala Web UIs

  1. Navigate to Clusters > Impala Service > Configuration.
  2. Open the appropriate Web UI:Select Web UI > Impala Catalog Web UI.
    • To open StateStore Web UI, select Web UI > Impala StateStore Web UI.
    • To open Catalog Server Web UI, select Web UI > Impala Catalog Web UI.
    • To open Impala Daemon Web UI:
      1. Click the Instances tab.
      2. Click an Impala Daemon instance.
      3. Click Impala Daemon Web UI.