jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2026-01-09 06:05:09 -05:00
Code Issues Projects Releases Wiki Activity
Files
8ea21d099fde57bd358cc073017bdcf80c8d74ca
impala/docs/topics/impala_security_webui.xml
Jim Apple 3be0f122a5 IMPALA-3398: Add docs to main Impala branch. 
These are refugees from doc_prototype. They can be rendered with the
DITA Open Toolkit version 2.3.3 by:

/tmp/dita-ot-2.3.3/bin/dita \
  -i impala.ditamap \
  -f html5 \
  -o $(mktemp -d) \
  -filter impala_html.ditaval

Change-Id: I8861e99adc446f659a04463ca78c79200669484f
Reviewed-on: http://gerrit.cloudera.org:8080/5014
Reviewed-by: John Russell <jrussell@cloudera.com>
Tested-by: John Russell <jrussell@cloudera.com>
2016-11-17 22:38:44 +00:00

67 lines
3.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept rev="1.1" id="security_webui">
<title>Securing the Impala Web User Interface</title>
<prolog>
<metadata>
<data name="Category" value="Impala"/>
<data name="Category" value="Troubleshooting"/>
<data name="Category" value="Security"/>
<data name="Category" value="Administrators"/>
</metadata>
</prolog>
<conbody>
<p>
The instructions in this section presume you are familiar with the
<xref href="http://en.wikipedia.org/wiki/.htpasswd" scope="external" format="html">
<filepath>.htpasswd</filepath> mechanism</xref> commonly used to password-protect pages on web servers.
</p>
<p>
Password-protect the Impala web UI that listens on port 25000 by default. Set up a
<filepath>.htpasswd</filepath> file in the <codeph>$IMPALA_HOME</codeph> directory, or start both the
<cmdname>impalad</cmdname> and <cmdname>statestored</cmdname> daemons with the
<codeph>--webserver_password_file</codeph> option to specify a different location (including the filename).
</p>
<p>
This file should only be readable by the Impala process and machine administrators, because it contains
(hashed) versions of passwords. The username / password pairs are not derived from Unix usernames, Kerberos
users, or any other system. The <codeph>domain</codeph> field in the password file must match the domain
supplied to Impala by the new command-line option <codeph>--webserver_authentication_domain</codeph>. The
default is <codeph>mydomain.com</codeph>.
<!-- Password generator cited by Henry: <xref href="http://www.askapache.com/online-tools/htpasswd-generator/" scope="external" format="html"/> -->
</p>
<p>
Impala also supports using HTTPS for secure web traffic. To do so, set
<codeph>--webserver_certificate_file</codeph> to refer to a valid <codeph>.pem</codeph> TLS/SSL certificate file.
Impala will automatically start using HTTPS once the TLS/SSL certificate has been read and validated. A
<codeph>.pem</codeph> file is basically a private key, followed by a signed TLS/SSL certificate; make sure to
concatenate both parts when constructing the <codeph>.pem</codeph> file.
<!-- Certificate info cited by Henry: <xref href="http://www.akadia.com/services/ssh_test_certificate.html" scope="external" format="html"/>
This page was very useful for creating a certificate and private key file;
the last step which was missing was to append one file to the other to make the <codeph>.pem</codeph> file. -->
</p>
<p>
If Impala cannot find or parse the <codeph>.pem</codeph> file, it prints an error message and quits.
</p>
<note>
<p>
If the private key is encrypted using a passphrase, Impala will ask for that passphrase on startup, which
is not useful for a large cluster. In that case, remove the passphrase and make the <codeph>.pem</codeph>
file readable only by Impala and administrators.
</p>
<p>
When you turn on TLS/SSL for the Impala web UI, the associated URLs change from <codeph>http://</codeph>
prefixes to <codeph>https://</codeph>. Adjust any bookmarks or application code that refers to those URLs.
</p>
</note>
</conbody>
</concept>
Reference in New Issue View Git Blame Copy Permalink