Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10010

Allow unathenticated access to some webui endpoints

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: Impala 4.0
    • Component/s: Clients
    • Labels:
      None
    • Epic Color:
      ghx-label-13

      Description

      Currently, when security is turned on for the webui, eg. with --webserver_require_ldap or --webserver_require_spnego, authentication is applied to all webui endpoints.

      However, there are some endpoints that expose low-sensitivity info, eg. /healthz, and which are scraped by other systems that it may be difficult to get credentials to in order to be able to authenticate, eg. a Kubernetes health check or prometheus monitoring. It would be useful to provide a way to allow unauthenticated access to those endpoints.

      One option would be to run another instance of the webserver on another port. This instance could be unsecured and only expose a few low-sensitivity endpoints. This would allow for a configuration where Impala is run in a private network and the main webserver port could be exposed externally, eg. through an nginx gateway, while keeping the port for the second webserver only available to internal systems.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                twmarshall Thomas Tauber-Marshall
                Reporter:
                twmarshall Thomas Tauber-Marshall
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: