Details
-
Task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
ghx-label-13
Description
Currently, when security is turned on for the webui, eg. with --webserver_require_ldap or --webserver_require_spnego, authentication is applied to all webui endpoints.
However, there are some endpoints that expose low-sensitivity info, eg. /healthz, and which are scraped by other systems that it may be difficult to get credentials to in order to be able to authenticate, eg. a Kubernetes health check or prometheus monitoring. It would be useful to provide a way to allow unauthenticated access to those endpoints.
One option would be to run another instance of the webserver on another port. This instance could be unsecured and only expose a few low-sensitivity endpoints. This would allow for a configuration where Impala is run in a private network and the main webserver port could be exposed externally, eg. through an nginx gateway, while keeping the port for the second webserver only available to internal systems.
Attachments
Issue Links
- is duplicated by
-
IMPALA-8900 Allow /healthz access without authentication
- Resolved