Configuring Impala Web UI
As an administrator, you can diagnose issues with each daemon on a particular host, or perform other administrative actions such as cancelling a running query from the built-in web server's UI. The built-in web server is inlcuded within each of the Impala-related daemons. By default, these web servers are enabled. You can turn them off in a high-security configuration where it is not appropriate for users to have access to this kind of monitoring information through a web interface.
Enabling and Disabling Access to Impala Web Servers
By default, these web servers are enabled. You might turn them off in a high-security configuration where it is not appropriate for users to have access to this kind of monitoring information through a web interface.
To enable or disable Impala Web Servers for Web UI in Cloudera Manager:
- Impala Daemon
- Navigate to .
- Select .
- Select .
- Select or clear Enable Impala Daemon Web Server.
- Click Save Changes, and restart the Impala service.
- Impala StateStore
- Navigate to .
- Select .
- Select .
- Select or clear Enable StateStore Web Server.
- Click Save Changes, and restart the Impala service.
- Impala Catalog Server
- Navigate to .
- Select .
- Select .
- Check or clear Enable Catalog Server Web Server.
- Click Save Changes, and restart the Impala service.
Configuring Secure Access for Impala Web Servers
Cloudera Manager supports two methods of authentication for secure access to the Impala Catalog Server, Impala Daemon, and StateStore web servers: password-based authentication and SPNEGO authentication.
Authentication for the three types of daemons can be configured independently.
Configuring Password Authentication
- Navigate to .
- Search for "password" using the Search box in the Configuration tab. This should display the password-related properties (Username and Password properties) for the Impala Daemon, StateStore, and Catalog Server. If there are multiple role groups configured for Impala Daemon instances, the search should display all of them.
- Enter a username and password into these fields.
- Click Save Changes, and restart the Impala service.
Now when you access the Web UI for the Impala Daemon, StateStore, or Catalog Server, you are asked to log in before access is granted.
Enabling Kerberos HTTP SPNEGO Authentication for Web UI
To provide security through Kerberos, Impala Web UIs support SPNEGO. SPNEGO is a protocol for securing HTTP requests with Kerberos by passing negotiation tokens through HTTP headers.
To enable authorization using SPNEGO in Cloudera Manager:
- Navigate to .
- Select .
- Select the Enable Kerberos Authentication for HTTP
Web-Consoles field.
This setting is effective only Kerberos is enabled for the HDFS service.
- Click Save Changes, and restart the Impala service.
Configuring TLS/SSL for Web UI
- Create or obtain an TLS/SSL certificate.
- Place the certificate, in
.pem
format, on the hosts where the Impala Catalog Server and StateStore are running, and on each host where an Impala Daemon is running. It can be placed in any location (path) you choose. If all the Impala Daemons are members of the same role group, then the.pem
file must have the same path on every host. - Navigate to .
- Search for "certificate" using the Search box in the Configuration tab. This should display the certificate file location properties for the Impala Catalog Server, Impala Daemon, and StateStore. If there are multiple role groups configured for Impala Daemon instances, the search should display all of them.
- In the property fields, enter the full path name to the certificate file, the private key file path, and the password for the private key file.
- Click Save Changes, and restart the Impala service.
When you access the Web UI for the Impala Catalog Server, Impala
Daemon, and StateStore, https
will be used.