This topic describes how to configure security group rules and access the web UIs of open source components in an E-MapReduce (EMR) cluster. After you create a cluster, EMR binds several domain names to the cluster for you to access the web UIs of open source components.

Prerequisites

An elastic IP address (EIP) is associated with the EMR cluster.

Configure security group rules

If you use a component for the first time, you must perform the following steps to configure security group rules:

  1. Obtain the public IP address of your on-premises machine.
    For security purposes, we recommend that you allow only access from the current public IP address when you configure a security group rule. To obtain your current public IP address, visit myip.ipip.net. You can view your public IP address.
  2. Add security group rules.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the Network Info section of the Cluster Overview page, record the value of Network Type and click the link of Security Group ID.
    6. Enable the required ports.
      Notice To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
      The following table lists the ports you need to enable to access the web UIs of different components.
      Component Port
      YARN 8443
      Note After Ranger is deployed in your cluster, you can access the web UI of Ranger.
      HDFS
      Spark History Server
      Ganglia
      Oozie
      Tez
      Impala Catalogd
      Impala Statestored
      Storm
      Ranger
      Flink-Vvp
      Zeppelin 8080
      Hue 8888
      For example, you can perform the following operations to enable port 8443:
      1. On the Inbound tab of the Security Group Rules page, click Add Security Group Rule.
      2. In the dialog box that appears, set Port Range to 8443/8443.
      3. Set Authorization Object to the public IP address obtained in Step 1.
      4. Click OK.
      Note
      • If the network type of the cluster is VPC, set NIC Type to Internal Network and Rule Direction to Inbound. If the network type of the cluster is classic network, set NIC Type to Internet and Rule Direction to Inbound. In this topic, the VPC network type is used as an example.
      • When you configure inbound and outbound rules for applications, follow the principle of least privilege. Enable only the ports required by your applications.
    7. View the added rule on the Inbound tab.
      Rule configurations

      Network access is securely enabled and network configuration is complete.

Access the web UIs of open source components

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  5. In the left-side navigation pane of the Cluster Overview page, click Connect Strings.
  6. On the Connect Strings page, find the component whose web UI you want to access and click its link.
    • In V2.X.X versions later than V2.7.X or V3.X.X versions later than V3.5.X, you can use a Knox account to access the web UIs of open source components. For more information about how to create a Knox account, see Manage user accounts. For more information about how to use Knox, see Knox. To access the web UI of Hue, you must use the Hue username and password. For more information about how to use Hue, see Use Hue. You can directly access the web UI of Zeppelin without a username and password.
    • After Ranger is deployed in your cluster, you can use the default username and password to access the web UI of Ranger. For more information, see Overview.