Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10010

Allow unathenticated access to some webui endpoints

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • Impala 4.0.0
    • Clients
    • None
    • ghx-label-13

    Description

      Currently, when security is turned on for the webui, eg. with --webserver_require_ldap or --webserver_require_spnego, authentication is applied to all webui endpoints.

      However, there are some endpoints that expose low-sensitivity info, eg. /healthz, and which are scraped by other systems that it may be difficult to get credentials to in order to be able to authenticate, eg. a Kubernetes health check or prometheus monitoring. It would be useful to provide a way to allow unauthenticated access to those endpoints.

      One option would be to run another instance of the webserver on another port. This instance could be unsecured and only expose a few low-sensitivity endpoints. This would allow for a configuration where Impala is run in a private network and the main webserver port could be exposed externally, eg. through an nginx gateway, while keeping the port for the second webserver only available to internal systems.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            twmarshall Thomas Tauber-Marshall
            twmarshall Thomas Tauber-Marshall
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment