This topic describes how to create an SSH tunnel to access the web UIs of open source components.

Prerequisites

  • An EMR cluster is created. For more information, see Create a cluster.
  • Port 22 is enabled for the security group to which your cluster belongs. To enable port 22, you can turn on Remote Logon during cluster creation or manually add security group rules after the cluster is created. For more information, see Add security group rules.
    Note When you add inbound security group rules, you must set Authorization Type to IPv4 CIDR Block and Port Range to 22/22.
  • Your computer is connected to the master node of the cluster. You can turn on Assign Public IP Address during cluster creation to associate an elastic IP address (EIP) with your cluster. Alternatively, you can assign a fixed public IP address or an EIP address to the master node of your cluster in the ECS console after the cluster is created. For more information, see Bind an ENI.

Background information

The ports over which you can access the web UIs of open source components are disabled for security purposes. The open source components include Hadoop, Spark, and Flink in an E-MapReduce (EMR) cluster. You can access these web UIs from the EMR console. You can also create an SSH tunnel on your local server and enable port forwarding to access these web UIs. Dynamic port forwarding and local port forwarding are supported.

To access the web UIs of open source components from the EMR console, see Access the web UIs of open source components.

Obtain the public IP address of the master node

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  5. In the Instance Info section of the Cluster Overview page, view the public IP address of the master node.
    IP

Obtain the name of the master node

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  5. In the left-side navigation pane of the Cluster Overview page, click Instances.
  6. On the Instances page, view the node name that corresponds to the public IP address of the master node.
    For information about how to obtain the public IP address of the master node, see Obtain the public IP address of the master node. header

Enable dynamic port forwarding

Create an SSH tunnel to allow communication between a port of your local server and the master node of an EMR cluster. Run the local SOCKS proxy server that listens on the port. The port data is forwarded to the master node of the EMR cluster by using the SSH tunnel.

  1. Create an SSH tunnel.
    • Use a key:
      ssh -i <Storage path of the key file> -N -D 8157 root@<Public IP address of the master node>
    • Use a username and password:
      ssh -N -D 8157 root@<Public IP address of the master node>
    Parameter description:
    • 8157: Port 8157 is used in this example. You can replace this port with an unoccupied port on your local server in actual configuration.
    • -D: Dynamic port forwarding is enabled. Start the SOCKS proxy process to listen on the port.
    • <Public IP address of the master node>: For more information about how to obtain the public IP address of the master node, see Obtain the public IP address of the master node.
    • <Storage path of the key file>: the path where the key file is stored.
  2. Configure the Google Chrome browser.
    Notice Keep your local server running after the tunnel is created. No responses are returned.

    You can use one of the following methods to configure the Google Chrome browser:

    • Use the CLI
      1. Open the CLI and go to the local installation directory of the Google Chrome browser client.

        The default installation directory of Google Chrome depends on the operating system.

        Operating system Google Chrome installation directory
        Mac OS X /Applications/Google Chrome.app/Contents/macOS/Google Chrome
        Linux /usr/bin/google-chrome
        Windows C:\Program Files (x86)\Google\Chrome\Application\
      2. Run the following command in the default installation directory of Google Chrome:
        chrome --proxy-server="socks5://localhost:8157" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost" --user-data-dir=/tmp/
        Parameter description:
        • /tmp/: For Windows, an example of a file directory is /c:/tmppath/. For Linux and macOS, the format of a file directory is /tmp/.
        • 8157: Port 8157 is used in this example. You can replace this port with an unoccupied port on your local server in actual configuration.
      3. Enter http://Name of the master node:Port number in the address bar of the browser and press Enter to access a specific web UI.

        For more information about the ports of components, see Configurations of cluster ports. For more information about how to obtain the name of the master node, see Obtain the name of the master node.

        For example, enter http://emr-header-1:8088 in the address bar of the browser and press Enter to access the web UI of YARN.

    • Use a Google Chrome extension

      Extensions allow you to easily manage and use proxies in your web browser. You can use an extension to browse web pages and access web UIs at the same time.

      1. Add the Google Chrome extension Proxy SwitchyOmega.
      2. Click this extension and select Options from the shortcut menu.
      3. On the SwitchyOmega page, click New profile in the left-side navigation pane. In the New Profile dialog box, enter a profile name, such as SSH tunnel, in the Profile name field and select PAC Profile.
      4. Enter the following content in the PAC Script editor:
        function regExpMatch(url, pattern) {    
          try { return new RegExp(pattern).test(url); } catch(ex) { return false; }    
        }
        
        function FindProxyForURL(url, host) {
            // Important: replace 172.31 below with the proper prefix for your VPC subnet
        
            if (shExpMatch(url, "*localhost*")) return "SOCKS5 localhost:8157";
            if (shExpMatch(url, "*emr-header*")) return "SOCKS5 localhost:8157";
            if (shExpMatch(url, "*emr-worker*")) return "SOCKS5 localhost:8157";
        
            return 'DIRECT';
        }
      5. In the left-side navigation pane, click Apply changes to complete the configurations.
      6. Open Google Chrome. Click the SwitchyOmega extension. Then, select the created SSH tunnel.
      7. Enter http://Name of the master node:Port number in the address bar of the browser and press Enter to access a specific web UI.

        For more information about the ports of components, see Configurations of cluster ports. For more information about how to obtain the name of the master node, see Obtain the name of the master node.

        For example, enter http://emr-header-1:8088 in the address bar of the browser and press Enter to access the web UI of YARN.

Enable local port forwarding

Notice If you use this method to access a web UI, you cannot go to the job details page.

You can use the local port forwarding method to forward data on a port of the master node to the local port and access the web application interface running on the master node. The SOCKS proxy is not required.

  1. Run the following command on your local server to create an SSH tunnel:
    • Use a key:
      ssh -i <Storage path of the key file> -N -L 8157:<Name of the master node>:8088 root@<Public IP address of the master node>
    • Use a username and password:
      ssh -N -L 8157:<Name of the master node>:8088 root@<Public IP address of the master node>
    Parameter description:
    • -L: Local port forwarding is enabled. You can specify a local port to forward data to the remote port that is hosted on the local web server of the master node.
    • 8088: the port that is used to access ResourceManager on the master node. You can replace this port as required.

      For more information about the ports of components, see Configurations of cluster ports. For more information about how to obtain the name of the master node, see Obtain the name of the master node.

    • 8157: Port 8157 is used in this example. You can replace this port with an unoccupied port on your local server in actual configuration.
    • <Public IP address of the master node>: For more information about how to obtain the public IP address of the master node, see Obtain the public IP address of the master node.
    • <Storage path of the key file>: the path where the key file is stored.
  2. Keep your machine running. Open a browser, enter http://localhost:8157/ in the address bar of the browser, and then press Enter.

Configurations of cluster ports

  • Hadoop HDFS
    Service Port Parameter
    NameNode 9000 fs.defaultFS or fs.default.name
    Note The fs.default.name parameter has expired but can still be used.
    50070 dfs.namenode.http-address or dfs.http.address
    Note The dfs.http.address parameter has expired but can still be used.
  • Hadoop YARN (MRv2)
    Service Port Parameter
    JobHistory Server 10020 mapreduce.jobhistory.address
    JobHistory Server 19888 mapreduce.jobhistory.webapp.address
    ResourceManager 8025 yarn.resourcemanager.resource-tracker.address
    ResourceManager 8032 yarn.resourcemanager.address
    ResourceManager 8030 yarn.resourcemanager.scheduler.address
    ResourceManager 8088 yarn.resourcemanager.webapp.address
  • Hadoop MapReduce (MRv1)
    Service Port Parameter
    JobTracker 8021 mapreduce.jobtracker.address
  • Hadoop HBase
    Service Port Parameter
    HMaster 16000 hbase.master.port
    HMaster 16010 hbase.master.info.port
    HRegionServer 16020 hbase.regionserver.port
    HRegionServer 16030 hbase.regionserver.info.port
    ThriftServer 9099 None
  • Hadoop Spark
    Service Port Parameter
    SparkHistory 18080 None
  • Superset
    Service Port Parameter
    Superset 18088 None
  • Storm
    Service Port Parameter
    Storm UI 9999 ui_port
  • Druid
    Service Port Parameter
    Overlord 18090 overlord.runtime > druid.plaintextPort
    Coordinator 18081 coordinator.runtime > druid.plaintextPort
    MiddleManager 18091 middleManager.runtime > druid.plaintextPort
    Historical 18083 historical.runtime > druid.plaintextPort
    Router 18888 router.runtime > druid.plaintextPort
    Broker 18082 broker.runtime > druid.plaintextPort