Securing the Impala Web User Interface
The instructions in this section presume you are familiar with the .htpasswd mechanism commonly used to password-protect pages on web servers.
Password-protect the Impala web UI that listens on port 25000 by default. Set up a
.htpasswd file in the $IMPALA_HOME
directory, or start both the
impalad and statestored daemons with the
--webserver_password_file
option to specify a different location (including the filename).
This file should only be readable by the Impala process and machine administrators, because it contains
(hashed) versions of passwords. The username / password pairs are not derived from Unix usernames, Kerberos
users, or any other system. The domain
field in the password file must match the domain
supplied to Impala by the new command-line option --webserver_authentication_domain
. The
default is mydomain.com
.
Impala also supports using HTTPS for secure web traffic. To do so, set
--webserver_certificate_file
to refer to a valid .pem
TLS/SSL certificate file.
Impala will automatically start using HTTPS once the TLS/SSL certificate has been read and validated. A
.pem
file is basically a private key, followed by a signed TLS/SSL certificate; make sure to
concatenate both parts when constructing the .pem
file.
If Impala cannot find or parse the .pem
file, it prints an error message and quits.
If the private key is encrypted using a passphrase, Impala will ask for that passphrase on startup, which
is not useful for a large cluster. In that case, remove the passphrase and make the .pem
file readable only by Impala and administrators.
When you turn on TLS/SSL for the Impala web UI, the associated URLs change from http://
prefixes to https://
. Adjust any bookmarks or application code that refers to those URLs.