docs/topics/impala_security_webui.xml - impala - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
 <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
 <concept rev="1.1" id="security_webui">

   <title>Securing the Impala Web User Interface</title>
   <prolog>
     <metadata>
       <data name="Category" value="Impala"/>
       <data name="Category" value="Troubleshooting"/>
       <data name="Category" value="Security"/>
       <data name="Category" value="Administrators"/>
     </metadata>
   </prolog>

   <conbody>

     <p>
       The instructions in this section presume you are familiar with the
       <xref href="http://en.wikipedia.org/wiki/.htpasswd" scope="external" format="html">
       <filepath>.htpasswd</filepath> mechanism</xref> commonly used to password-protect pages on web servers.
     </p>

     <p>
       Password-protect the Impala web UI that listens on port 25000 by default. Set up a
       <filepath>.htpasswd</filepath> file in the <codeph>$IMPALA_HOME</codeph> directory, or start both the
       <cmdname>impalad</cmdname> and <cmdname>statestored</cmdname> daemons with the
       <codeph>--webserver_password_file</codeph> option to specify a different location (including the filename).
     </p>

     <p>
       This file should only be readable by the Impala process and machine administrators, because it contains
       (hashed) versions of passwords. The username / password pairs are not derived from Unix usernames, Kerberos
       users, or any other system. The <codeph>domain</codeph> field in the password file must match the domain
       supplied to Impala by the new command-line option <codeph>--webserver_authentication_domain</codeph>. The
       default is <codeph>mydomain.com</codeph>.
 <!-- Password generator cited by Henry: <xref href="http://www.askapache.com/online-tools/htpasswd-generator/" scope="external" format="html"/> -->
     </p>

     <p>
       Impala also supports using HTTPS for secure web traffic. To do so, set
       <codeph>--webserver_certificate_file</codeph> to refer to a valid <codeph>.pem</codeph> TLS/SSL certificate file.
       Impala will automatically start using HTTPS once the TLS/SSL certificate has been read and validated. A
       <codeph>.pem</codeph> file is basically a private key, followed by a signed TLS/SSL certificate; make sure to
       concatenate both parts when constructing the <codeph>.pem</codeph> file.
 <!-- Certificate info cited by Henry: <xref href="http://www.akadia.com/services/ssh_test_certificate.html" scope="external" format="html"/>
 This page was very useful for creating a certificate and private key file;
 the last step which was missing was to append one file to the other to make the <codeph>.pem</codeph> file. -->
     </p>

     <p>
       If Impala cannot find or parse the <codeph>.pem</codeph> file, it prints an error message and quits.
     </p>

     <note>
       <p>
         If the private key is encrypted using a passphrase, Impala will ask for that passphrase on startup, which
         is not useful for a large cluster. In that case, remove the passphrase and make the <codeph>.pem</codeph>
         file readable only by Impala and administrators.
       </p>
       <p>
         When you turn on TLS/SSL for the Impala web UI, the associated URLs change from <codeph>http://</codeph>
         prefixes to <codeph>https://</codeph>. Adjust any bookmarks or application code that refers to those URLs.
       </p>
     </note>
   </conbody>
 </concept>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
	<concept rev="1.1" id="security_webui">

	<title>Securing the Impala Web User Interface</title>
	<prolog>
	<metadata>
	<data name="Category" value="Impala"/>
	<data name="Category" value="Troubleshooting"/>
	<data name="Category" value="Security"/>
	<data name="Category" value="Administrators"/>
	</metadata>
	</prolog>

	<conbody>

	<p>
	The instructions in this section presume you are familiar with the
	<xref href="http://en.wikipedia.org/wiki/.htpasswd" scope="external" format="html">
	<filepath>.htpasswd</filepath> mechanism</xref> commonly used to password-protect pages on web servers.
	</p>

	<p>
	Password-protect the Impala web UI that listens on port 25000 by default. Set up a
	<filepath>.htpasswd</filepath> file in the <codeph>$IMPALA_HOME</codeph> directory, or start both the
	<cmdname>impalad</cmdname> and <cmdname>statestored</cmdname> daemons with the
	<codeph>--webserver_password_file</codeph> option to specify a different location (including the filename).
	</p>

	<p>
	This file should only be readable by the Impala process and machine administrators, because it contains
	(hashed) versions of passwords. The username / password pairs are not derived from Unix usernames, Kerberos
	users, or any other system. The <codeph>domain</codeph> field in the password file must match the domain
	supplied to Impala by the new command-line option <codeph>--webserver_authentication_domain</codeph>. The
	default is <codeph>mydomain.com</codeph>.
	<!-- Password generator cited by Henry: <xref href="http://www.askapache.com/online-tools/htpasswd-generator/" scope="external" format="html"/> -->
	</p>

	<p>
	Impala also supports using HTTPS for secure web traffic. To do so, set
	<codeph>--webserver_certificate_file</codeph> to refer to a valid <codeph>.pem</codeph> TLS/SSL certificate file.
	Impala will automatically start using HTTPS once the TLS/SSL certificate has been read and validated. A
	<codeph>.pem</codeph> file is basically a private key, followed by a signed TLS/SSL certificate; make sure to
	concatenate both parts when constructing the <codeph>.pem</codeph> file.
	<!-- Certificate info cited by Henry: <xref href="http://www.akadia.com/services/ssh_test_certificate.html" scope="external" format="html"/>
	This page was very useful for creating a certificate and private key file;
	the last step which was missing was to append one file to the other to make the <codeph>.pem</codeph> file. -->
	</p>

	<p>
	If Impala cannot find or parse the <codeph>.pem</codeph> file, it prints an error message and quits.
	</p>

	<note>
	<p>
	If the private key is encrypted using a passphrase, Impala will ask for that passphrase on startup, which
	is not useful for a large cluster. In that case, remove the passphrase and make the <codeph>.pem</codeph>
	file readable only by Impala and administrators.
	</p>
	<p>
	When you turn on TLS/SSL for the Impala web UI, the associated URLs change from <codeph>http://</codeph>
	prefixes to <codeph>https://</codeph>. Adjust any bookmarks or application code that refers to those URLs.
	</p>
	</note>
	</conbody>
	</concept>