Configuring the web UI #
The topic provides an overview of configuring the Starburst Enterprise platform (SEP) web UI, and its associated functionality:
- Enabling specific features
- Persisting query data
- Controlling access
- Customizing the login
It brings together UI-related configuration information from several topics:
- Starburst Enterprise web UI
- Insights configuration
- Query logger
- Data products
- Built-in access control overview
- Built-in access control roles
You do not need to understand the material in the preceding list in order to proceed. Instead, you may find that this topic provides a helpful introduction to those more detailed topics, in particular, the Starburst Enterprise web UI topic. The Starburst Enterprise web UI topic contains information on web UI-specific properties.
This topic assumes that you have secured your cluster with TLS. Default behaviors are different for unsecured clusters.
A basic version of the SEP web UI is enabled by default. It is accessed using the coordinator’s URL, as in the following examples:
Initially, only the query editor and the following Insights
screens and the query editor are enabled for users in the
- Query overview
- Query details
- Cluster history
- Usage metrics
When a user logs in, their role is displayed in the upper right along with their
username. This role determines what screens are visible to them. The
role by default has access to only the query editor and the
Insights overview screen. You can grant the
privileges for other screens as described later in this topic as desired.
Users can switch roles in the UI, if any additional roles have been granted to them, by clicking on the role name under their user name in the upper right, and selecting Switch roles from the menu.
You must assume
sysadmin role in order to access the Settings menu option
in the upper right drop-down menu, which opens the Customize login and
License screens. Customizing your login screen is discussed later in this
topic. The License screen lists the features available with your license,
and lets you download the license file.
sysadmin roles are built-in, and cannot be removed.
Web UI-specific configuration properties #
The web UI reference topic contains information on configuration properties for:
Persist query metadata #
Query metadata, which contains information related to query processing, is not
persisted by default. To persist query data between cluster restarts, you must
insights.persistence-enabled=true on the coordinator. This causes the
Query overview screen to access all query processing information that has
not been purged as part of Insights data retention
Enable screens for specific features #
Certain screens are not visible to anyone unless their associated features have been enabled. These include:
- Roles and privileges for built-in access control
- Built-in access control audit log
- Data products
- Domain management for data products feature
Built-in access control #
SEP’s built-in access control can be used to provide role-based access control (RBAC) for data sources, for controlling access to data products functionality, and for web UI screen access control. It can be used alone or alongside an existing third-party RBAC tool such as Apache Ranger. It must be enabled separately. Once enabled, the Roles and privileges screen appears in the web UI. From there, you can restrict or grant UI access to roles for specific screens with UI entity privileges.
You can additionally enable the built-in access control audit log feature and
its screen by setting
starburst.access-control.audit.enabled=true on the
coordinator once built-in access control is enabled. The audit log covers all
access control changes made through the built-in access control system, not just
UI access control changes.
Data products #
SEP’s data products feature is not enabled by default. It must be enabled separately. Once enabled, the Data products and Domain management screens appear in the web UI.
Web UI access control #
Once the built-in access control system is enabled, access control for the web
UI is accomplished mainly in the UI itself through the use of the
Roles and privileges screen. Initially, users must be granted the
role through a configuration property so that they can access the
Roles and privileges screen.
Initial role grants for administrators #
sysadmin role is initially not granted to any users. To add trusted users
to the role initially, you must list them in the
starburst.access-control.authorized-users property on the coordinator, or
include them in a group configured in the
starburst.access-control.authorized-groups property, also on the coordinator.
Once your initial
sysadmin members have been established, they can add or
remove users from roles through the Roles screen in the web UI by selecting
sysadmin user, and clicking the Assign icon.
Users granted the
sysadmin role through the UI are not added to the
starburst.access-control.authorized-groups properties. Rather, the list of
users added through the UI is maintained separately, and is in addition to the
users specified via those configuration properties. The set of users specified
via the configuration properties takes precedence over the list of users added
through the UI.
sysadmin role is granted all UI privileges, and its privileges
are not modifiable.
Control access for other users #
As with any RBAC-based system, roles are granted to users, and privileges are granted to roles. SEP’s built-in access control system is no different. Along with the ability to provide access control for data sources, it also provides UI entities that represent the various screens in the web UI. These UI entity privileges are granted the normal way through the Roles and privileges screen.
For example, you can create a role called
insights_users, add the desired list
of users to that role, click the Details icon, and then click the Add
privileges button. In the Add privileges screen that results, select the
User interface radio button for the privilege type.
Next, check the Overview, Query overview, Cluster history, and
Usage metrics checkboxes from the dropdown. Ensure that Allow and
Show are selected, and click Save privileges. All users granted the
insights_users role now have access to those screens.
Login screen #
The behavior and look of the login screen are affected by your authentication method and by available customizations.
The authentication flow in the web UI depends upon your cluster’s configured
authentication method. If your organization uses one of the supported SSO
options to authenticate users, the login screen contains a
Sign in with SSO
button instead of username and password fields. No action beyond configuring the
web-ui.authentication.type properties on
the coordinator is required.
Customize the login screen #
Customizations are available for the login screen itself no matter what
authentication screen is presented. You must assume the the
sysadmin in order
to access the Settings menu option in the collapsed caret menu in the upper
right, which opens the Customized Login screen.
In the customized login screen, you can upload a logo and add or delete a banner message.
Is the information on this page helpful?
- Configuring the web UI
Is the information on this page helpful?