blob: efd23faca6ff13c49dabfb7f6a8ad6e3611c276d [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept rev="1.1" id="security_webui">
<title>Securing the Impala Web User Interface</title>
<data name="Category" value="Impala"/>
<data name="Category" value="Troubleshooting"/>
<data name="Category" value="Security"/>
<data name="Category" value="Administrators"/>
The instructions in this section presume you are familiar with the
<xref href="" scope="external" format="html">
<filepath>.htpasswd</filepath> mechanism</xref> commonly used to password-protect pages on web servers.
Password-protect the Impala web UI that listens on port 25000 by default. Set up a
<filepath>.htpasswd</filepath> file in the <codeph>$IMPALA_HOME</codeph> directory, or start both the
<cmdname>impalad</cmdname> and <cmdname>statestored</cmdname> daemons with the
<codeph>--webserver_password_file</codeph> option to specify a different location (including the filename).
This file should only be readable by the Impala process and machine administrators, because it contains
(hashed) versions of passwords. The username / password pairs are not derived from Unix usernames, Kerberos
users, or any other system. The <codeph>domain</codeph> field in the password file must match the domain
supplied to Impala by the new command-line option <codeph>--webserver_authentication_domain</codeph>. The
default is <codeph></codeph>.
<!-- Password generator cited by Henry: <xref href="" scope="external" format="html"/> -->
Impala also supports using HTTPS for secure web traffic. To do so, set
<codeph>--webserver_certificate_file</codeph> to refer to a valid <codeph>.pem</codeph> TLS/SSL certificate file.
Impala will automatically start using HTTPS once the TLS/SSL certificate has been read and validated. A
<codeph>.pem</codeph> file is basically a private key, followed by a signed TLS/SSL certificate; make sure to
concatenate both parts when constructing the <codeph>.pem</codeph> file.
<!-- Certificate info cited by Henry: <xref href="" scope="external" format="html"/>
This page was very useful for creating a certificate and private key file;
the last step which was missing was to append one file to the other to make the <codeph>.pem</codeph> file. -->
If Impala cannot find or parse the <codeph>.pem</codeph> file, it prints an error message and quits.
If the private key is encrypted using a passphrase, Impala will ask for that passphrase on startup, which
is not useful for a large cluster. In that case, remove the passphrase and make the <codeph>.pem</codeph>
file readable only by Impala and administrators.
When you turn on TLS/SSL for the Impala web UI, the associated URLs change from <codeph>http://</codeph>
prefixes to <codeph>https://</codeph>. Adjust any bookmarks or application code that refers to those URLs.