Starburst Enterprise web UI

This topic provides an overview of the features available in the web UI. The Starburst Enterprise web UI is the default web interface when you access an SEP cluster that has a valid license configured.

A cluster with no license configured shows the Trino web UI by default. The Trino UI lacks SEP features such as Insights, data products, the query editor, and domain management.

Direct URL access

Access the Starburst Enterprise web UI directly with the URL of your coordinator.

Now that this interface is the default for licensed clusters, there is no longer a need to append the /ui/insights context to your coordinator’s URL. Use simple URLs such as the following:

• https://sep.example.com/

• http://sep.example.com:8080/

• https://localhost:8443/

Authentication

On a TLS-enabled cluster, enter the credentials required by the cluster’s authentication method. Contact your site’s network administrator for your username, password, and other credentials as required by your cluster.

On a cluster with no security method enabled, the login screen shows a username field with a disabled password field. Enter any username to log in; no password is required or allowed.

Note

The login screen you encounter is determined only by the cluster’s security configuration, including TLS support, and is independent of license status. There is no separate security configuration for the Starburst Enterprise web UI.

Timeout properties

The web-ui.session-timeout configuration property controls the timeout interval in deployments not using an identity provider (IdP) for authentication. This property dictates how long a user authentication token is valid and can be considered the maximum amount of time a user can stay logged in to the Starburst Enterprise web UI without reauthenticating.

Deployments that use an IdP that substitutes for login credential forms, such as AzureAD and Okta, are subject to the session timeout defined in their IdP’s configuration.

When the timeout interval is reached, a dialog is displayed giving users the option to logout to exit the Starburst Enterprise web UI and return to the login screen, or to dismiss the dialog to stay on the current page without requesting new data. For example, if a session times out during a long-running query, the query is allowed to finish. Users can view and download the existing query result set in the query editor by clicking Dismiss in the modal dialog and then clicking Download, but cannot run a new query or navigate to another screen until logged back in.

The insights.user-inactivity-timeout configuration property tracks events such as clicks or keystrokes in the Starburst Enterprise web UI and automatically logs out a user when they are inactive for a set amount of time. This property is disabled by default and can be configured alongside the web-ui.session-timeout property. This property is typically used as an additional security feature by setting the inactivity timeout to a shorter duration than the session timeout.

To remain active, users must move the mouse or press a key. When the timeout interval is reached, a dialog is displayed with a 15 second countdown. If no action is taken before the countdown timer reaches 0, the user is logged out of the Starburst Enterprise web UI and returned to the login screen. Queries running in the background time out if the user is logged out due to inactivity.

Feature tabs

The feature column of the Starburst Enterprise web UI shows several tabs, described next.

At the bottom of this column, find the Version, Environment description, and Uptime of the connected cluster.

Use the ☰ button to collapse the feature column to icon form and restore it.

Query

The Query dropdown menu contains the Query editor tab, a web-based client interface for writing and executing SQL queries, and the Saved queries tab to save, manage, and share query tabs. The Shared with me tab lists query tabs that have been shared by other query owners to your assigned roles, and lets you preview and run queries in shared query tabs.

Data products

The Data products tab allows you to publish, find, and manage curated data assets in your organization.

Domain management

The Domain management tab allows you to manage grouping of your data products into domains that define your business.

Insights

Overview

The Overview tab is the default tab opened when the Starburst Enterprise web UI starts, and shows a summary of your cluster’s current activities.

Query overview

The Query overview tab shows a list of queries running or recently run on your cluster. Click a query ID to open the details for that query.

Cluster history

The Cluster history tab shows the resources consumed by your cluster when responding to recent queries, or for a specified time period.

Usage metrics

The Usage metrics tab provides an overview of the cluster usage over a specified period of time and a cost estimation tool.

Roles and privileges

SEP features an optional built-in role-based access control (RBAC) system that is integrated with the Starburst Enterprise web UI. If enabled, an authorized administrator can control users’ access to data on the Roles and privileges tab.

See Built-in access control overview for more information.

Dark and light mode

Click the toggle to switch between light and dark modes of the Starburst Enterprise web UI:

Help menu

The Help (?) menu includes the following helpful links for convenience:

• Web UI: Link to the Trino web UI

• Documentation: Link to the Insights documentation

• Authorization app: If configured by an administrator, links to the authorization app used in the cluster.

Authorization app

The Help menu can be configured to include a convenient link in Starburst Enterprise web UI that opens the UI of the cluster’s associated authorization app, if any.

The Help menu only contains the Authorization UI link if an administrator configures the coordinator’s config.properties with the insights.authorization-application.url property, using a value pointing to a valid URL for an authorization app such as Apache Ranger or the Privacera Platform.

You can replace the default “Authorization UI” text of this submenu by using the insights.authorization-application.label property.

The following table shows the configuration properties for the authorization app:

Authorization app configuration properties

Property name	Description
insights.authorization-application.url	UI URL of an authorization app associated with this cluster, such as Apache Ranger or the Privacera Platform.
insights.authorization-application.label	Name of the associated authorization app to appear in the Help menu. Default is Authorization UI.

The config.properties must still contain a valid ranger.policy-rest-url property for the cluster, which is the primary way to associate an authorization app with the cluster.

For example:

insights.authorization-application.url=https://ranger.example.com:6182/
insights.authorization-application.label=Lab Ranger

User menu

The user menu in the upper right shows the name of the currently logged-in user, as well as their currently applied roles.

Clicking on the Switch roles menu item brings up the Switch roles UI. The Switch roles UI allows users to switch between specific roles they have been granted, or to apply all roles that they have been granted. To apply all roles granted, click the * option in the Switch roles UI. This has the same effect as executing the SET ROLE ALL SQL statement.

The Log out option logs you out of the current session.

The Settings menu item is available to administrative users. Clicking on the Settings menu item brings up the Settings UI, with the following options:

• License - This tab displays all possible SEP features, including connectors, and their statuses based on your current license file. Your license file is available by clicking the Download current license button.

• Customize login - This tab allows you to add a logo and banner text.

The About option displays the SEP and JDK versions, as well as the environment.

Customize login

The Customize login screen allows you to upload a logo and create a banner message. You can choose to do one or both. You must press Save for changes to take effect. The user ID and last updated time is displayed next to the Save button.

Logo

The current logo file is displayed under the Logo upload area. To remove or replace the current logo, click the ⓧ icon. If no custom logo is in use, the Choose button is displayed.

Click the Choose button in the Logo upload file selector to open a local file browser and select the logo file to use. The selector lists the default maximum file size as well as the allowable formats.

The Starburst Enterprise web UI can be configured to allow larger file sizes by setting the following configuration property to the desired size in the coordinator’s config.properties file:

# value in KB; default is 100
sep-ui.security.company-logo-max-size=100

Banner message

Add text to the Banner messaging text field to create a short message of 300 characters or less. The banner message appears across the top of the login screen for logged out users.

The Starburst Enterprise web UI can be configured to allow more text by setting the following configuration property to the desired size in the coordinator’s config.properties file:

# value in chars; default is 300
sep-ui.security.banner-text-max-size=300

Client token authentication

The Starburst Enterprise web UI features an optional page that, if enabled, exposes a JWT token that can be used to connect to SEP with clients that support JWT authentication.

To enable this page, SEP must be configured with JWT authentication or OAuth 2.0 authentication authentication. Set the following configuration property to true in the coordinator’s config.properties file:

web-ui.token-copy.enabled=true

Users can access this page in a web browser by logging into the Starburst Enterprise web UI and navigating to the /ui/token URL, such as https://sep.example.com/ui/token.

Enable delegated Kerberos authentication

The Starburst Enterprise web UI supports delegated Kerberos authentication. If enabled, users can use Kerberos authentication with the Starburst Enterprise web UI to access data sources that support Kerberos credential pass-through.

To enable delegated Kerberos authentication, set the following configuration properties in the coordinator’s config.properties file:

http-server.authentication.type=DELEGATED-KERBEROS
http-server.authentication.krb5.service-name=HTTP
http-server.authentication.krb5.principal-hostname=${host_name}
http-server.authentication.krb5.keytab=${ENV:HTTP_SERVER_AUTHENTICATION_KRB5_KEYTAB}
web-ui.authentication.type=DELEGATED-KERBEROS

For any catalogs that are configured with Kerberos credential pass-through, set the http-server.authentication.krb5.service-name catalog configuration property to HTTP to match the Kerberos service name.

Additionally, you must configure your browser settings for Kerberos authentication. See your browser’s documentation for further details.

Legacy login

You can disable the Starburst Enterprise web UI login and revert to the legacy Trino UI login by setting the following configuration in the config.properties file:

sep-ui.security.disable-enterprise-login=true