Support Questions

Find answers, ask questions, and share your expertise

Disable Cloudera Management Debug WebUIs (Host Monitor, Service Monitor, Activity Monitor)

avatar
Expert Contributor

Hi community,

looking at security, I am in process of disabling any interfaces without proper authentication / authorization (or even encryption). I came across the debug web UIs of Cloudera Management services.

 

According to https://www.cloudera.com/documentation/enterprise/latest/topics/cm_ig_ports_cm.html, the debug WebUIs can be disabled by setting the port property to -1. This works for Reports Manager (8083), Event Server (8084), Navigator Audit Server (8089), Telemetry Publisher (10111).

 

This does not work, however, for  Service Monitor (8086 / 9086 TLS), Activity Monitor (8087 / 9087 TLS), Host Monitor (8091 / 9091 TLS). Setting port to -1 leads to non-starting services without a proper ERROR in the log file.

 

Cloudera Manager agent even tries to check, if the server successfully bound to port -1 and runs into errors:

[15/Aug/2019 12:06:03 +0000] 65646 Thread-14 process ERROR [918-cloudera-mgmt-HOSTMONITOR] Failed port check: Command '['ss', '-np', 'state', 'listening', '(', 'sport', '=', '-1', 'or', 'sport', '=', '9995', 'or', 'sport', '=', '9994', ')']' returned non-zero exit status 255

 

 

How do you disable the debug web UIs for those management services. Or is there a way to properly secure them by authentication and authorization?

 

Thanks and best regards

Benjamin

1 ACCEPTED SOLUTION

avatar
Master Collaborator

This was reported as a bug, and has already been fixed in CM 6.3.0, 6.2.1 as part of OPSAPS-49111

View solution in original post

3 REPLIES 3

avatar
Super Guru

It works for me on a CM 6.3. 

Which version are you using?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Expert Contributor
I am using CDH/CM 6.2. Will update the cluster and test again. However, according to the docs, it should already work since 5.14.

avatar
Master Collaborator

This was reported as a bug, and has already been fixed in CM 6.3.0, 6.2.1 as part of OPSAPS-49111