This topic describes how to configure security groups so that you can access open-source components in an E-MapReduce cluster. After a cluster is created, E-MapReduce binds several domain names to your cluster by default for you to access the following open-source components: YARN, HDFS, Spark, Ganglia, Hue, and Zeppelin.

Prerequisites

An Elastic IP Address (EIP) is assigned to the E-MapReduce cluster.

Grant access to a security group

If you use a component for the first time, follow these steps to grant access to the corresponding security group:

  1. Obtain your current public IP address.
    For security purposes, we recommend that you only allow access from the current public IP address when you configure a security group policy. To obtain your current public IP address, access ip.taobao.com. You can view your public IP address in the lower-left corner.
  2. Add a security group policy.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the Network Info section of the Cluster Overview page that appears, take note of the network type of the cluster and click the ID of the target security group.
    6. On the page that appears, click Add Security Group Rule in the upper-right corner and enable the required ports.
      Notice It is forbidden to set Authorization Object to 0.0.0.0/0, which may cause security issues.
      The following table lists the ports you need to enable for accessing the Web UIs of different components.
      Component Port to be enabled
      YARN 8443
      Note After Ranger is deployed in your cluster, you can access the Web UI of Ranger.
      HDFS
      Spark History Server
      Ganglia
      Ranger
      Zeppelin 8080
      Hue 8888
      For example, you can follow these steps to enable port 8443:
      1. Click Add Security Group Rule.
      2. Set Port Range to 8443/8443.
      3. Set Authorization Object to the public IP address obtained in Step 1.
      4. Click OK.
      Note
      • If the network type of the cluster is VPC, set NIC Type to Internal Network and Rule Direction to Inbound. If the network type of the cluster is classic network, set NIC Type to Internet and Rule Direction to Inbound. In this topic, VPC is used as an example.
      • Follow the principle of least privilege when you configure inbound and outbound rules for applications. Enable only the ports required by your applications.
    7. View the policy on the Inbound tab.
      Policy configurations

      The network access is securely enabled and the network configuration is complete.

Access the Web UIs of open-source components

  1. Log on to the Alibaba Cloud E-MapReduce console.
  2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
  5. In the left-side navigation pane of the Cluster Overview page that appears, click Connect Strings.
  6. On the Connect Strings page that appears, find the target component and click its link to access the Web UI of this component.
    Note
    • After a cluster is created, E-MapReduce binds several domain names to your cluster by default for you to access the following open-source components: YARN, HDFS, Spark, Ganglia, Hue, and Zeppelin.
    • In V2.X.X versions later than V2.7.X or V3.X.X versions later than V3.5.X, you can use a Knox account to access the Web UIs of HDFS, YARN, Spark, and Ganglia. For more information about how to create a Knox account, see Manage users. For more information about how to use Knox, see Knox. Enter the Hue username and password to access the Web UI of Hue. For more information about how to use Hue, see Hue. You can directly access the Web UI of Zeppelin without a username and password.
    • After Ranger is deployed in your cluster, you can use the default username and password to access the Web UI of Ranger. For more information, see Overview.