Securing the Impala Web User Interface
The instructions in this section presume you are familiar with the .htpasswd mechanism commonly used to password-protect pages on web servers.
Password-protect the Impala web UI that listens on port 25000 by default. Set up a
.htpasswd file in the
$IMPALA_HOME directory, or start both the
impalad and statestored daemons with the
--webserver_password_file option to specify a different location (including the filename).
This file should only be readable by the Impala process and machine administrators, because it contains
(hashed) versions of passwords. The username / password pairs are not derived from Unix usernames, Kerberos
users, or any other system. The
domain field in the password file must match the domain
supplied to Impala by the new command-line option
Impala also supports using HTTPS for secure web traffic. To do so, set
--webserver_certificate_file to refer to a valid
.pem TLS/SSL certificate file.
Impala will automatically start using HTTPS once the TLS/SSL certificate has been read and validated. A
.pem file is basically a private key, followed by a signed TLS/SSL certificate; make sure to
concatenate both parts when constructing the
If Impala cannot find or parse the
.pem file, it prints an error message and quits.
If the private key is encrypted using a passphrase, Impala will ask for that passphrase on startup, which
is not useful for a large cluster. In that case, remove the passphrase and make the
file readable only by Impala and administrators.
When you turn on TLS/SSL for the Impala web UI, the associated URLs change from
https://. Adjust any bookmarks or application code that refers to those URLs.