All Products
Search

This Product

    E-MapReduce:Access open-source component web UIs from the console

    Document Center

    E-MapReduce:Access open-source component web UIs from the console

    Last Updated:Mar 26, 2026

    E-MapReduce (EMR) clusters expose web UIs for open-source components such as YARN, Hadoop Distributed File System (HDFS), Spark, and Flink. Three access methods are available. Choose based on your network environment and security requirements:

    Method Best for Port required Authentication
    Native UI address (simplest) Internal network; minimal setup Component-specific (e.g., 8088 for YARN) None
    Knox proxy (recommended for most users) Secure access; single port for all components 8443 Username and password
    SSH tunnel High-security or restricted networks SSH (22) SSH key

    This topic covers the native UI address and Knox proxy methods. For the SSH tunnel method, see Create an SSH tunnel to access the web UIs of open source components.

    Important

    Opening inbound ports in a security group creates a potential security exposure. Review each rule carefully and restrict the authorization object to the minimum required IP range.

    Prerequisites

    Before you begin, ensure that you have:

    Go to the Access Links and Ports tab

    The Access Links and Ports tab lists all open-source components and their access addresses.

    1. Log in to the EMR console. In the left-side navigation pane, click EMR on ECS.

    2. In the top navigation bar, select a region and a resource group.

    3. Find the target cluster and click its name in the Cluster ID/Name column.

    4. On the cluster details page, click the Access Links and Ports tab.

    Use the native UI address

    The native UI address gives direct browser access to a component's web UI. Enable the component's port in the security group, then open the address in a browser.

    Important

    The client and the EMR cluster nodes must be in the same internal network environment.

    Step 1: Enable a port

    1. Click the Basic Information tab.

    2. In the Security section, click the link next to Cluster Security Group to open the Security Group Details tab in the Elastic Compute Service (ECS) console.

    3. On the Inbound subtab, click Add Rule. Configure the following parameters and keep other parameters at their default values. For a full parameter reference, see Security group rules.

      Parameter Description Example
      Port range The port of the open-source component For YARN, enter 8088/8088. For other components, see Access the web UIs of open source components
      Authorization object The internal IP address of the client Enter the internal IP address of your client machine

    Step 2: Access the web UI

    1. On the Access Links and Ports tab, copy the native UI address of the target component.

    2. Open the address in a browser on your client. To verify connectivity on Linux, run:

      curl -L http://<IP-address>:<port>/

    Use the Knox proxy address

    Knox provides authenticated, single-port access to multiple component web UIs. Both internal and public access are supported.

    Supported components: YARN, HDFS, Spark 2, Spark 3, Flink, HBase, Impala, Trino, Presto, Tez, and Ranger.

    Note

    Some component versions have known Knox compatibility issues. See Troubleshooting for details.

    Step 1: Add Knox

    Skip this step if Knox is already deployed in your cluster.

    1. Click the Services tab.

    2. Click Add Service. In the Add Service panel, select KNOX and OpenLDAP, then click OK.

    3. After the services are added, go to the Access Links and Ports tab to confirm that the Knox proxy addresses appear.

    Step 2: (Optional) Associate an Elastic IP Address with the master node

    Skip this step if you only need internal Knox proxy access, or if an Elastic IP Address (EIP) is already associated with the master node.

    1. Click the Nodes tab.

    2. In the emr-master node group, click the image icon, then click the ID of the master-1-1 node.

    3. In the Configuration Information section, find Public IP Address and click Associate EIP. See EIPs for details.

    4. Back in the EMR console, click All Operations in the upper-right corner of the cluster details page, then click Synchronize Host Information in the Cluster Operation section.

    5. On the Access Links and Ports tab, confirm that the public Knox proxy addresses are now listed.

    Step 3: Enable port 8443

    Add port 8443 to the security group of your EMR cluster following the same steps in Step 1: Enable a port. Use these values:

    Parameter Value
    Port range 8443/8443
    Authorization object For public access, enter a public IP address. For internal access, enter the internal IP address of your client.
    Important

    For internal Knox proxy access, the client and EMR cluster nodes must be in the same internal network environment.

    Step 4: Add a user

    Access via Knox requires a valid username and password. Add a user on the Users tab. See Manage OpenLDAP users for instructions.

    Step 5: Access the web UI

    On the Access Links and Ports tab:

    • Public Knox proxy address: Click the public Knox proxy address of the target component. Enter the username and password on the login page.

    • Internal Knox proxy address: Click the internal Knox proxy address of the target component. Enter the username and password on the login page. To verify connectivity on Linux, run:

      curl -k -u <username>:<password> https://<internal-IP-address>:8443/gateway/cluster-topo/xx

    Access the Ranger web UI

    After Ranger is deployed, access its web UI using the default credentials. See Ranger for full configuration details.

    Cluster type EMR version Default username Default password
    DataLake clusters V3.44.0 or a later minor version, or V5.10.0 or a later minor version admin Admin1234
    DataLake clusters A minor version earlier than V3.44.0 or a minor version earlier than V5.10.0 admin admin1234
    Hadoop clusters (old data lake) Any admin admin

    If you forget the password, see the FAQ in the Ranger documentation.

    Access the Flink web UI (minor versions earlier than EMR V3.29.0)

    In EMR minor versions earlier than V3.29.0, the Flink web UI is only accessible via SSH tunnel. See Create an SSH tunnel to access the web UIs of open source components.

    Troubleshooting

    The Access Links and Ports tab is blank.

    Check for an overdue payment on your account. Settle any outstanding balance and wait a few minutes before refreshing.

    Unable to access a web UI via native UI address.

    Confirm that the client and the EMR cluster nodes are in the same internal network environment.

    The username and password page reappears after entering correct credentials.

    The OpenLDAP data may be corrupted. To repair it:

    1. On the Services tab, stop OpenLDAP.

    2. Log in to the master-1-1 node.

    3. Copy the repair_ldap_service.sh script to the master-1-1 node.

    4. Run the script as the root user: bash repair_ldap_service.sh

    5. In the upper-right corner of the OpenLDAP service page in the EMR console, choose More > Restart.

    Unable to access a web UI via Knox proxy.

    First, confirm port 8443 is open in the security group.

    If the port is open but access still fails, check whether the component version has a known Knox compatibility issue:

    • HBase deployed in EMR V5.10.X through V5.12.X

    • Presto and Trino deployed in EMR V5.10.X through V5.14.X

    For these combinations, use the native UI address or SSH tunnel instead.

    What username and password are required for Knox authentication?

    Use the username and password of a user added on the Users tab. See Manage OpenLDAP users.

    What's next