Configuring Impala Web UI

Each of the Impala-related daemons includes a built-in web server that lets an administrator diagnose issues with each daemon on a particular host, or perform other administrative actions such as cancelling a running query. By default, these web servers are enabled. You might turn them off in a high-security configuration where it is not appropriate for users to have access to this kind of monitoring information through a web interface.

Enabling and Disabling Access to Impala Web Servers

By default, these web servers are enabled. You might turn them off in a high-security configuration where it is not appropriate for users to have access to this kind of monitoring information through a web interface.

To enable or disable Impala Web Servers for Web UI in Cloudera Manager:

  • Impala Daemon
    1. Navigate to Clusters > Impala Service > Configuration.
    2. Select Scope > Impala Daemon .
    3. Select Category > Ports and Addresses.
    4. Select or clear Enable Impala Daemon Web Server.
    5. Click Save Changes, and restart the Impala service.
  • Impala StateStore
    1. Navigate to Clusters > Impala Service > Configuration.
    2. Select Scope > Impala StateStore.
    3. Select Category > Main.
    4. Select or clear Enable StateStore Web Server.
    5. Click Save Changes, and restart the Impala service.
  • Impala Catalog Server
    1. Navigate to Clusters > Impala Service > Configuration.
    2. Select Scope > Impala Catalog Server.
    3. Select Category > Main.
    4. Check or clear Enable Catalog Server Web Server.
    5. Click Save Changes, and restart the Impala service.

Configuring Secure Access for Impala Web Servers

Cloudera Manager supports two methods of authentication for secure access to the Impala Catalog Server, Daemon, and StateStoreweb servers: password-based authentication and TLS/SSL certificate authentication.

Authentication for the three types of daemons can be configured independently.

Configuring Password Authentication

  1. Navigate to Clusters > Impala Service > Configuration.
  2. Search for "password" using the Search box in the Configuration tab. This should display the password-related properties (Username and Password properties) for the Impala Daemon, StateStore, and Catalog Server. If there are multiple role groups configured for Impala Daemon instances, the search should display all of them.
  3. Enter a username and password into these fields.
  4. Click Save Changes, and restart the Impala service.

Now when you access the Web UI for the Impala Daemon, StateStore, or Catalog Server, you are asked to log in before access is granted.

Configuring Kerberos HTTP SPNEGO Authentication for Web UI

To provide security through Kerberos, Impala Web UIs support SPNEGO. SPNEGO is a protocol for securing HTTP requests with Kerberos by passing negotiation tokens through HTTP headers.

To enable authorization using SPNEGO in Cloudera Manager:

  1. Navigate to Clusters > Impala Service > Configuration.
  2. Select Scope > Impala 1 (Service-Wid).
  3. In the Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) field, type: webserver_require_spnego=true
  4. Click Save Changes, and restart the Impala service.

Configuring TLS/SSL Certificate Authentication

  1. Create or obtain an TLS/SSL certificate.
  2. Place the certificate, in .pem format, on the hosts where the Impala Catalog Server and StateStore are running, and on each host where an Impala Daemon is running. It can be placed in any location (path) you choose. If all the Impala Daemons are members of the same role group, then the .pem file must have the same path on every host.
  3. Navigate to Clusters > Impala Service > Configuration.
  4. Search for "certificate" using the Search box in the Configuration tab. This should display the certificate file location properties for the Impala Catalog Server, Impala Daemon, and StateStore. If there are multiple role groups configured for Impala Daemon instances, the search should display all of them.
  5. In the property fields, enter the full path name to the certificate file.
  6. Click Save Changes, and restart the Impala service.

When you access the Web UI for the Impala Catalog Server, Impala Daemon, and StateStore, https will be used.

Opening Impala Web UIs

  1. Navigate to Clusters > Impala Service > Configuration.
  2. Open the appropriate Web UI:Select Web UI > Impala Catalog Web UI.
    • To open StateStore Web UI, select Web UI > Impala StateStore Web UI.
    • To open Catalog Server Web UI, select Web UI > Impala Catalog Web UI.
    • To open Impala Daemon Web UI:
      1. Click the Instances tab.
      2. Click an Impala Daemon instance.
      3. Click Impala Daemon Web UI.