Access the web UIs of open source components

You can access the web UIs of open source components that are deployed in an E-MapReduce (EMR) cluster on the Access Links and Ports tab of the cluster in the EMR console. This topic describes how to configure security group rules and access links to access the web UIs of open source components that are deployed in an EMR cluster.

Prerequisites

An EMR cluster is created. For more information, see Create a cluster.

Background information

Method	Benefit	Limit
Method 1: Access the web UIs of open source components by using Knox	You need to only enable specific ports for the security group of the cluster. You can use a user that is added to the cluster for identity authentication. For more information, see Manage user accounts.	You must deploy OpenLDAP and Knox in the cluster. You must enable port 8443 for the security group of the cluster. Important If you want to access the web UIs of open source components by using the internal Knox proxy address, you must also make sure that the client resides in the same internal network environment as nodes in your EMR cluster. The following services are supported: Services in a DataLake cluster: Hadoop Distributed File System (HDFS), YARN, Tez, Spark, HBase, Flink, Impala, Trino, and Kudu Services in a Hadoop cluster: HDFS, YARN, Tez, Gangla, Spark, Oozie, HBase, Flink, Impala, Presto, and Kudu
Method 2: Access the web UIs of open source components by using internal IP addresses	You do not need to deploy the Knox service.	The client that you use must be in the same internal network environment as nodes in your EMR cluster. You must add security group rules based on the service ports that you want to access.

Method 1: Access the web UIs of open source components by using Knox

Add a security group rule

The first time you use a component, perform the following steps to configure security group rules:

Obtain the public IP address of your on-premises machine.
For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To obtain the current public IP address, visit https://myip.ipip.net/.
Go to the Basic Information tab of the desired cluster.
1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
2. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
3. On the EMR on ECS page, find the desired cluster and click the name of the cluster in the Cluster ID/Name column.
Add a security group rule.
1. In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
2. On the Security Group Details tab, enable port 8443.
  Important
  To prevent attacks from external users, we recommend that you do not set the Authorization Object parameter to 0.0.0.0/0.
  1. On the Security Group Details tab, click Add Rule.
  2. Set the Port Range parameter to 8443/8443 and the Authorization Object parameter to the public IP address that you obtained in Step 1.
  3. Click Save in the Actions column.
  Note
  If the network type of the cluster is VPC, set the NIC Type parameter to Internal Network and the Rule Direction parameter to Inbound. If the network type of the cluster is classic network, set the NIC Type parameter to Internet and the Rule Direction parameter to Inbound. In this topic, the VPC network type is used.
  When you configure inbound and outbound rules for applications, follow the principle of least privilege. We recommend that you enable only the ports that are required by your applications.
3. View the added rule.
  After you complete the configuration, network access is enabled in a secure manner.

Go to the Access Links and Ports tab.
1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
2. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
3. On the EMR on ECS page, find the desired cluster and click the name of the cluster in the Cluster ID/Name column.
4. On the page that appears, click the Access Links and Ports tab.
On the Access Links and Ports tab, find the component whose web UI you want to access and click the link in the Knox Proxy Address column.
Important
If you do not assign a public IP address to the master node of the cluster, you can access the web UIs of open source components only by using the internal Knox proxy address. If you want to use the public Knox proxy address to access the web UIs of open source components, perform the following steps.
1. On the Nodes tab, click the Plus icon to the left of the master node group. In the Node Name/ID column, click the ID of the master-1-1 node.
2. In the Elastic Compute Service (ECS) console, associate an elastic IP address (EIP) with the ECS instance of the master-1-1 node. For more information, see Associate or disassociate an EIP.
3. Synchronize host information.
  1. On the Nodes tab, choose All Operations > Synchronize Host Information in the upper-right corner.
  2. In the message that appears, click Off.
    On the Access Links and Ports tab, you can access the web UIs of open source components by using the public Knox proxy address.
Use an added user for logon authentication and access the web UI of the corresponding open source component.
For information about how to add a user, see Manage user accounts.
Access the web UIs of some special open source components.
- Access the web UI of Ranger
- Access the web UI of Flink (minor versions earlier than EMR V3.29.0)
  In minor versions earlier than EMR V3.29.0, you can access the web UI of Flink only by using an SSH tunnel. For more information, see Create an SSH tunnel to access web UIs of open source components.
  Note
  To access a Flink job on the web UI of YARN, go to the Access Links and Ports tab in the EMR console, and click the link of the YARN UI in the Knox Proxy Address column. In the Hadoop console, click the ID of the Flink job to view the details of the Flink job.

Method 2: Access the web UIs of open source components by using internal IP addresses

Add a security group rule

Obtain the internal IP address of your on-premises machine.
For security purposes, we recommend that you allow access only from the current internal IP address when you configure a security group rule.
Go to the Basic Information tab of the desired cluster.
1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
2. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
3. On the EMR on ECS page, click the name of the cluster in the Cluster ID/Name column of the cluster that you want to view.
Add a security group rule.
1. In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
2. On the Security Group Details tab, enable the required ports.
  Important
  To prevent attacks from external users, we recommend that you do not set the Authorization Object parameter to 0.0.0.0/0.
  The ports that are required vary based on the open source components whose web UIs you want to access. You can view the port of a service from its native UI address. The port number follows the IP address in the native UI address. The following steps describe how to enable the port of HDFS. The native UI address of HDFS is https://{Internal IP address of the host}:8088. Therefore, the port 8088 needs to be enabled for the security group.
  1. On the Security Group Details tab, click Add Rule.
  2. Set the Port Range parameter to 8088/8088 and the Authorization Object parameter to the internal IP address that you obtained in Step 1.
  3. Click Save in the Actions column.
  Note
  If the network type of the cluster is VPC, set the NIC Type parameter to Internal Network and the Rule Direction parameter to Inbound. If the network type of the cluster is classic network, set the NIC Type parameter to Internet and the Rule Direction parameter to Inbound. In this topic, the VPC network type is used.
  When you configure inbound and outbound rules for applications, follow the principle of least privilege. We recommend that you enable only the ports that are required by your applications.
3. View the added rule.

Access the web UIs of open source components

Go to the Access Links and Ports tab.
1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
2. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
3. On the EMR on ECS page, find the desired cluster and click the name of the cluster in the Cluster ID/Name column.
4. On the page that appears, click the Access Links and Ports tab.
On the Access Links and Ports tab, find the open source component whose web UI you want to access and click the link in the Native UI Address column.

FAQ

Why does the system have no response after I click the URL of an open source component?

If you use Knox to access the web UI of an open source component, you must enable port 8443 for the security group of the desired cluster. If you use the native UI address of an open source component to access the web UI of the component, you must enable the required port for the security group of the desired cluster. For more information about how to add a security group rule, see Add a security group rule.

What are the username and password for logon authentication?

Use an added user and the password that you specified for the user for logon authentication. For information about how to add a user, see Manage user accounts.

After I click the Access Links and Ports tab, the page that appears is blank. Why?

If no information is displayed on the page, check whether you have an overdue payment. If you have an overdue payment, you must settle the overdue payment first and wait for a period of time.
If no information is displayed in the Knox Proxy Address column, check whether the OpenLDAP and Knox services are deployed in your cluster.
If an exception occurs because the open source components are not adapted to Knox, purchase a cluster of a new version. The adaptation issue occurs in the following services:
- HBase that is deployed in EMR V5.10.X to V5.12.X. The adaptation issue is fixed in EMR V5.13.X and later minor versions.
- Presto and Trino that are deployed in EMR V5.10.X to V5.14.X. The adaptation issue is fixed in EMR V5.15.X and later minor versions.

References

If you have high security requirements or use a special network environment, you can create an SSH tunnel to access the web UIs of open source components. For more information, see Create an SSH tunnel to access web UIs of open source components.
For information about service-related issues, see FAQ.