Thomas Tauber-Marshall created IMPALA-10010:
-----------------------------------------------
Summary: Allow unathenticated access to some webui endpoints
Key: IMPALA-10010
URL: https://issues.apache.org/jira/browse/IMPALA-10010
Project: IMPALA
Issue Type: Task
Components: Clients
Reporter: Thomas Tauber-Marshall
Assignee: Thomas Tauber-Marshall
Currently, when security is turned on for the webui, eg. with
--webserver_require_ldap or --webserver_require_spnego, authentication is
applied to all webui endpoints.
However, there are some endpoints that expose low-sensitivity info, eg.
/healthz, and which are scraped by other systems that it may be difficult to
get credentials to in order to be able to authenticate, eg. a Kubernetes health
check or prometheus monitoring. It would be useful to provide a way to allow
unauthenticated access to those endpoints.
One option would be to run another instance of the webserver on another port.
This instance could be unsecured and only expose a few low-sensitivity
endpoints. This would allow for a configuration where Impala is run in a
private network and the main webserver port could be exposed externally, eg.
through an nginx gateway, while keeping the port for the second webserver only
available to internal systems.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
