Configuring the web UI#
The topic provides an overview of configuring the Dell Data Analytics Engine, powered by Starburst Enterprise platform (SEP) web UI, and its associated functionality:
Enabling specific features
Persisting query data
Controlling access
Customizing the login
It brings together UI-related configuration information from several topics:
You do not need to understand the material in the preceding list in order to proceed. Instead, you may find that this topic provides a helpful introduction to those more detailed topics, in particular, the Starburst Enterprise web UI topic. The Starburst Enterprise web UI topic contains information on web UI-specific properties.
This topic assumes that you have secured your cluster with TLS. Default behaviors are different for unsecured clusters.
Introduction#
A basic version of the SEP web UI is enabled by default. It is accessed using the coordinator’s URL, as in the following examples:
https://sep.example.com/
http://sep.example.com:8080/
Initially, only the query editor and the following Insights screens and the
query editor are enabled for users in the sysadmin
role:
Overview
Query overview
Query details
Cluster history
Usage metrics
When a user logs in, their role is displayed in the upper right along with their
username. This role determines what screens are visible to them. The public
role by default has access to only the query editor and the Insights overview
screen. You can grant the public
role privileges for other screens as
described later in this topic as desired.
Users can switch roles in the UI, if any additional roles have been granted to them, by clicking on the role name under their user name in the upper right, and selecting Switch roles from the menu.
You must assume sysadmin
role in order to access the Settings menu option
in the upper right drop-down menu, which opens the Customize login and
License screens. Customizing your login screen is discussed later in this
topic. The License screen lists the features available with your license,
and lets you download the license file.
Both the public
and sysadmin
roles are built-in, and cannot be removed.
Web UI-specific configuration properties#
The web UI reference topic contains information on configuration properties for:
Changing maximum sizes for the logo and banner text
Persist query metadata#
Query metadata, which contains information related to query processing, is not
persisted by default. To persist query data between cluster restarts, you must
set insights.persistence-enabled=true
on the coordinator. This causes the
Query overview screen to access all query processing information that has
not been purged as part of Insights data retention settings.
Enable screens for specific features#
Certain screens are not visible to anyone unless their associated features have been enabled. These include:
Roles and privileges for built-in access control
Built-in access control audit log
Data products
Domain management for data products feature
Note
You must enable built-in access control in order to control access to certain screens, and to control who can create or edit a data domain or data product.
Built-in access control#
SEP’s built-in access control can be used to provide role-based access
control (RBAC) for data sources, for controlling access to data products
functionality, and for web UI screen access control. It can be used alone or
alongside an existing third-party RBAC tool such as Apache Ranger. It must be
{ref}enabled separately . Once enabled, the **Roles and privileges** screen appears in the web UI. From there, you can restrict or grant UI access to roles for specific screens with {ref}
UI entity privileges
You can additionally enable the built-in access control audit log feature and
its screen by setting starburst.access-control.audit.enabled=true
on the
coordinator once built-in access control is enabled. The audit log covers all
access control changes made through the built-in access control system, not just
UI access control changes.
Data products#
SEP’s data products feature is not enabled by default. It must be enabled separately. Once enabled, the Data products and Domain management screens appear in the web UI.
Web UI access control#
Once the built-in access control system is enabled, access control for the web
UI is accomplished mainly in the UI itself through the use of the
Roles and privileges screen. Initially, users must be granted the sysadmin
role through a configuration property so that they can access the
Roles and privileges screen.
Initial role grants for administrators#
The sysadmin
role is initially not granted to any users. To add trusted users
to the role initially, you must list them in the
starburst.access-control.authorized-users
property on the coordinator, or
include them in a group configured in the
starburst.access-control.authorized-groups
property, also on the coordinator.
Once your initial sysadmin
members have been established, they can add or
remove users from roles through the Roles screen in the web UI by selecting
the sysadmin
user, and clicking the Assign icon.
Users granted the sysadmin
role through the UI are not added to the
starburst.access-control.authorized-users
or
starburst.access-control.authorized-groups
properties. Rather, the list of
users added through the UI is maintained separately, and is in addition to the
users specified via those configuration properties. The set of users specified
via the configuration properties takes precedence over the list of users added
through the UI.
The built-in sysadmin
role is granted all UI privileges, and its privileges
are not modifiable.
Control access for other users#
As with any RBAC-based system, roles are granted to users, and privileges are granted to roles. SEP’s built-in access control system is no different. Along with the ability to provide access control for data sources, it also provides UI entities that represent the various screens in the web UI. These UI entity privileges are granted the normal way through the Roles and privileges screen.
For example, you can create a role called insights_users
, add the desired list
of users to that role, click the Details icon, and then click the Add
privileges button. In the Add privileges screen that results, select the
User interface radio button for the privilege type.
Next, check the Overview, Query overview, Cluster history, and
Usage metrics checkboxes from the dropdown. Ensure that Allow and
Show are selected, and click Save privileges. All users granted the
insights_users
role now have access to those screens.
Note
You can also create a role to explicitly deny access to certain screens for certain users using a Deny policy. Deny policies override any Allow privileges for a given entity and role.
Login screen#
The behavior and look of the login screen are affected by your authentication method and by available customizations.
Authentication#
The authentication flow in the web UI depends upon your cluster’s configured
authentication method. If your organization uses one of the supported SSO
options to authenticate users, the login screen contains a Sign in with SSO
button instead of username and password fields. No action beyond configuring the
http-server.authentication.type
and web-ui.authentication.type
properties on
the coordinator is required.
Customize the login screen#
Customizations are available for the login screen itself no matter what
authentication screen is presented. You must assume the the sysadmin
in order
to access the Settings menu option in the collapsed caret menu in the upper
right, which opens the Customized Login screen.
In the customized login screen, you can upload a logo and add or delete a banner message.