[
https://issues.apache.org/jira/browse/IMPALA-10010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17170605#comment-17170605
]
ASF subversion and git services commented on IMPALA-10010:
----------------------------------------------------------
Commit 34c2be0c3847103a6a7f0a7d66de8add285abc66 in impala's branch
refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=34c2be0 ]
IMPALA-10010: Add option to configure metrics webserver
Currently, when security is turned on for the webui, eg. with
--webserver_require_ldap, authentication is applied to all webui
endpoints.
However, there are some endpoints that expose low-sensitivity info and
which are scraped by other systems that it may be difficult to get
credentials to in order to be able to authenticate.
This patch adds a flag, --metrics_webserver_port, which if specified
turns on an unsecured webserver that exposes only the /metrics,
/jsonmetrics, /metrics_prometheus for all Impala daemons. Impalads
also have the /healthz endpoint exposed.
Testing:
- Added a test that turns on the metrics server and verifies its
reachable and unsecured.
Change-Id: Ibcf297d798a1a5c9cd59d4d82706d2d945e10d3d
Reviewed-on: http://gerrit.cloudera.org:8080/16270
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Allow unathenticated access to some webui endpoints
> ---------------------------------------------------
>
> Key: IMPALA-10010
> URL: https://issues.apache.org/jira/browse/IMPALA-10010
> Project: IMPALA
> Issue Type: Task
> Components: Clients
> Reporter: Thomas Tauber-Marshall
> Assignee: Thomas Tauber-Marshall
> Priority: Major
>
> Currently, when security is turned on for the webui, eg. with
> --webserver_require_ldap or --webserver_require_spnego, authentication is
> applied to all webui endpoints.
> However, there are some endpoints that expose low-sensitivity info, eg.
> /healthz, and which are scraped by other systems that it may be difficult to
> get credentials to in order to be able to authenticate, eg. a Kubernetes
> health check or prometheus monitoring. It would be useful to provide a way to
> allow unauthenticated access to those endpoints.
> One option would be to run another instance of the webserver on another port.
> This instance could be unsecured and only expose a few low-sensitivity
> endpoints. This would allow for a configuration where Impala is run in a
> private network and the main webserver port could be exposed externally, eg.
> through an nginx gateway, while keeping the port for the second webserver
> only available to internal systems.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
