This topic describes the methods that you can use to access the web UIs of open source components deployed in an E-MapReduce (EMR) cluster. You can configure security group rules and access links to access the web UIs of open source components that are deployed in an EMR cluster.

Prerequisites

An EMR cluster is created. For more information, see Create a cluster.

Background information

Method Benefit Limit
Access the web UIs of open source components by using Knox (recommended)
  • You need to only enable some ports for the security group of the cluster.
  • You can use the user that is added to a cluster to perform identity authentication.
  • OpenLDAP and Knox must be deployed in the cluster.
  • You must enable port 8443 for the security group of the cluster.
Access the web UIs of open source components by using the public IP address or the internal IP address of the master node You can access the web UIs of open source components without the need to add other services. You must add security group rules based on the service ports that you want to access and enable a large number of ports.

Access the web UIs of open source components by using Knox (recommended)

Add a security group rule

The first time you use a component, you must perform the following steps to configure security group rules:

  1. Obtain the public IP address of your on-premises machine.
    For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To obtain your current public IP address, visit IP address.
  2. Go to the cluster information page.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. On the EMR on ECS page, click the ID in the Cluster ID column of the cluster that you want to view.
  3. Add security group rules.
    1. In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
    2. On the Security Group Rules tab, enable the required ports.
      Important To prevent attacks from external users, we recommend you do not set Authorization Object to 0.0.0.0/0.
      The following table describes the ports that are required to access the web UIs of different components.
      Component Port
      YARN 8443
      HDFS
      Spark
      Ranger
      Ganglia
      Tez
      Presto
      Impala
      For example, you can perform the following operations to enable port 8443:
      1. On the Security Group Rules tab, click Add Rule.
      2. Set Port Range to 8443/8443 and Authorization Object to the public IP address that you obtained in Step 1.
      3. Click Save in the Actions column.
      Note
      • If the network type of the cluster is VPC, set NIC Type to Internal Network and Rule Direction to Inbound. If the network type of the cluster is classic network, set NIC Type to Internet and Rule Direction to Inbound. In this topic, the VPC network type is used.
      • When you configure inbound and outbound rules for applications, follow the principle of least privilege. You can enable only the ports that are required by your applications.
    3. View the added rule on the Inbound tab.
      Rule configurations

      Network access is enabled and network configuration is complete.

Access the web UIs of open source components

  1. Go to the Access Links and Ports tab.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. On the EMR on ECS page, find the desired cluster and click the name of the cluster.
    4. On the page that appears, click the Access Links and Ports tab.
  2. On the Access Links and Ports tab, find the component whose web UI you want to access and click the link of the web UI in the Access URL column.
    Important If you do not assign a public IP address to the master node of the cluster, you can access the web UIs of open source components only by using Knox. If you want to use a public IP address to access the web UIs of open source components, perform the following operations in this step.
    1. On the Nodes tab, click the desired node group and click the ID of the header-1 node in the Node Name/ID column.
    2. In the Elastic Compute Service (ECS) console, associate an elastic IP address (EIP) with the ECS instance of the header-1 node. For more information, see Associate or disassociate an EIP.
    3. Synchronize host information.
      1. On the Nodes tab, choose Cluster Operations > Synchronize Host Information in the upper-right corner.
      2. In the message that appears, click Off.

        On the Access Links and Ports tab, you can access the web UIs of open source components by using Knox.

  3. Use the added user for logon authentication and access the web UI of the corresponding open source component.
    Methods that can be used to access the web UIs of some special open source components:
    • Access the web UI of Ranger
      After Ranger is deployed in a cluster, you can use the default username and password of Ranger to access the web UI of Ranger. For more information, see Overview.
      Note For Hadoop clusters, the default username and password of Ranger are admin. For DataLake clusters or custom clusters, the default username of Ranger is admin and the default password is admin1234.
    • Access the web UI of Flink (later minor versions earlier than EMR V3.29.0)
      In later minor versions earlier than EMR V3.29.0, you can access the web UI of Flink only by using an SSH tunnel. For more information, see Create an SSH tunnel to access web UIs of open source components.
      Note To access a Flink job on the web UI of YARN, go to the Access Links and Ports tab in the EMR console, and click the link of the YARN UI in the Access URL column. In the Hadoop console, click the ID of the Flink job to view the details of the Flink job.

Access the web UIs of open source components by using the public IP address or the internal IP address of the master node

Add a security group rule

  1. Obtain the public IP address of your on-premises machine.
    For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To obtain your current public IP address, visit IP address.
  2. Go to the cluster information page.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. On the EMR on ECS page, click the ID in the Cluster ID column of the cluster that you want to view.
  3. Add security group rules.
    1. In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
    2. On the Security Group Rules tab, enable the required ports.
      Important The ports that are required vary based on the open source components whose web UIs you want to access. For more information, see the ports in the native internal IP address of the open source components. To prevent attacks from external users, we recommend you do not set Authorization Object to 0.0.0.0/0.

      The following section provides an example on how to enable the port for HDFS. If the native internal IP address of HDFS is https://{Internal IP address of the host}:50070, you must enable port 50070 for the security group.

      1. On the Security Group Rules tab, click Add Rule.
      2. Set Port Range to 50070/50070 and Authorization Object to the public IP address that you obtained in Step 1.
      3. Click Save in the Actions column.
      Note
      • If the network type of the cluster is VPC, set NIC Type to Internal Network and Rule Direction to Inbound. If the network type of the cluster is classic network, set NIC Type to Internet and Rule Direction to Inbound. In this topic, the VPC network type is used.
      • When you configure inbound and outbound rules for applications, follow the principle of least privilege. You can enable only the ports that are required by your applications.
    3. View the added rule on the Inbound tab.

Access the web UIs of open source components

  1. Go to the Access Links and Ports tab.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. On the EMR on ECS page, find the desired cluster and click the name of the cluster.
    4. On the page that appears, click the Access Links and Ports tab.
  2. On the Access Links and Ports tab, find the component whose web UI you want to access and click the link of the web UI in the Access URL column.