This topic describes how to configure security group rules and access the web UIs of open source components in an E-MapReduce (EMR) cluster. After you create a cluster, EMR binds several domain names to the cluster for you to access the web UIs of open source components.

Prerequisites

An EMR cluster is created. For more information, see Create a cluster.
Note An elastic IP address (EIP) is associated with the EMR cluster.

Configure security group rules

If you use a component for the first time, you must perform the following steps to configure security group rules:

  1. Obtain the public IP address of your on-premises machine.
    For security purposes, we recommend that you allow only access from the current public IP address when you configure a security group rule. To obtain your current public IP address, visit http://myip.ipip.net/. You can view your public IP address.
  2. Add security group rules.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the Network Info section of the Cluster Overview page, record the value of Network Type and click the link of Security Group ID.
    6. Enable the required ports.
      Notice To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
      The following table lists the ports you need to enable to access the web UIs of different components.
      Component Port
      YARN UI 8443
      Note After Ranger is deployed in your cluster, you can access the web UI of Ranger.
      HDFS UI
      Spark History Server UI
      Ganglia UI
      Oozie
      Tez
      ImpalaCatalogd
      ImpalaStatestored
      Storm
      Ranger UI
      Zeppelin 8080
      Hue 8888
      For example, you can perform the following operations to enable port 8443:
      1. On the Security Group Rules page, click Add Security Group Rule in the upper-right corner.
      2. In the Add Security Group Rule dialog box, set Port Range to 8443/8443.
      3. Set Authorization Object to the public IP address obtained in Step 1.
      4. Click OK.
      Note
      • If the network type of the cluster is VPC, set NIC Type to Internal Network and Rule Direction to Inbound. If the network type of the cluster is classic network, set NIC Type to Internet and Rule Direction to Inbound. In this topic, the VPC network type is used.
      • When you configure inbound and outbound rules for applications, follow the principle of least privilege. Enable only the ports required by your applications.
    7. View the added rule on the Inbound tab.
      Rule configurations

      Network access is securely enabled and network configuration is complete.

Access the web UIs of open source components

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  5. In the left-side navigation pane of the Cluster Overview page, click Connect Strings.
  6. On the Public Connect Strings page, find the component whose web UI you want to access and click its link.
    • In V2.X.X versions later than V2.7.X or V3.X.X versions later than V3.5.X, you can use a Knox account to access the web UIs of open source components. For more information about how to create a Knox account, see Manage user accounts. For more information about how to use Knox, see Knox. To access the web UI of Hue, you must use the Hue username and password. For more information about how to use Hue, see Use Hue. You can directly access the web UI of Zeppelin without a username and password.
    • After Ranger is deployed in your cluster, you can use the default username and password to access the web UI of Ranger. For more information, see Overview.
    • You can access the web UI of Flink based on the version of your cluster:
      • Clusters of an EMR version earlier than V3.29.0:
        Use an SSH tunnel. For more information, see Create an SSH tunnel to access web UIs of open source components.
        Note To access a Flink job on the web UI of YARN, go to the Connect Strings page in the EMR console, and click the link for the YARN UI in the Connect String column. In the Hadoop console, click the ID of the Flink job to view the details of the Flink job. For more information about how to view the details of a job on the web UI of YARN, see Quick start.
      • Clusters of EMR V3.29.0 and later:
        • Flink-VVP: You can access the web UI of Flink-VVP from the EMR console. For more information, see Use Flink (VVR) on YARN.
        • Flink (VVR): You can access the web UI of Flink (VVR) by using an SSH tunnel. For more information, see Create an SSH tunnel to access web UIs of open source components.
          Note To access a Flink job on the web UI of YARN, go to the Connect Strings page in the EMR console, and click the link for the YARN UI in the Connect String column. In the Hadoop console, click the ID of the Flink job to view the details of the Flink job. For more information about how to view the details of a job on the web UI of YARN, see Quick start.