Configuring the web UI

The topic provides an overview of configuring the Starburst Enterprise platform (SEP) web UI, and its associated functionality:

• Enabling specific features

• Persisting query data

• Controlling access

• Customizing the login

It brings together UI-related configuration information from several topics:

• Starburst Enterprise web UI

• Insights configuration

• SEP backend service

• Data products

• Built-in access control overview

• Built-in access control roles

You do not need to understand the material in the preceding list in order to proceed. Instead, you may find that this topic provides a helpful introduction to those more detailed topics, in particular, the Starburst Enterprise web UI topic. The Starburst Enterprise web UI topic contains information on web UI-specific properties.

This topic assumes that you have secured your cluster with TLS. Default behaviors are different for unsecured clusters.

Introduction

A basic version of the SEP web UI is enabled by default. It is accessed using the coordinator’s URL, as in the following examples:

• https://sep.example.com/

• http://sep.example.com:8080/

Initially, only the query editor and the following Insights screens and the query editor are enabled for users in the sysadmin role:

• Overview

• Query overview

• Query details

• Cluster history

• Usage metrics

When a user logs in, their role is displayed in the upper right along with their username. This role determines what screens are visible to them. The public role by default has access to only the query editor and the Insights overview screen. You can grant the public role privileges for other screens as described later in this topic as desired.

Users can switch roles in the UI, if any additional roles have been granted to them, by clicking on the role name under their user name in the upper right, and selecting Switch roles from the menu.

You must assume sysadmin role in order to access the Settings menu option in the upper right drop-down menu, which opens the Customize login and License screens. Customizing your login screen is discussed later in this topic. The License screen lists the features available with your license, and lets you download the license file.

Both the public and sysadmin roles are built-in, and cannot be removed.

Web UI-specific configuration properties

The web UI reference topic contains information on configuration properties for:

• Session timeout

• Authorization help

• Changing maximum sizes for the logo and banner text

Persist query metadata

Query metadata, which contains information related to query processing, is not persisted by default. To persist query data between cluster restarts, you must set insights.persistence-enabled=true on the coordinator. This causes the Query overview screen to access all query processing information that has not been purged as part of Insights data retention settings.

Enable screens for specific features

Certain screens are not visible to anyone unless their associated features have been enabled. These include:

• Roles and privileges for built-in access control

• Built-in access control audit log

• Data products

• Domain management for data products feature

Note

You must enable built-in access control in order to control access to certain screens, and to control who can create or edit a data domain or data product.

Built-in access control

SEP’s built-in access control can be used to provide role-based access control (RBAC) for data sources, for controlling access to data products functionality, and for web UI screen access control. It can be used alone or alongside an existing third-party RBAC tool such as Apache Ranger. It must be {ref}enabled separately . Once enabled, the **Roles and privileges** screen appears in the web UI. From there, you can restrict or grant UI access to roles for specific screens with {ref}UI entity privileges `.

You can additionally enable the built-in access control audit log feature and its screen by setting starburst.access-control.audit.enabled=true on the coordinator once built-in access control is enabled. The audit log covers all access control changes made through the built-in access control system, not just UI access control changes.

Data products

SEP’s data products feature is not enabled by default. It must be enabled separately. Once enabled, the Data products and Domain management screens appear in the web UI.

Web UI access control

Once the built-in access control system is enabled, access control for the web UI is accomplished mainly in the UI itself through the use of the Roles and privileges screen. Initially, users must be granted the sysadmin role through a configuration property so that they can access the Roles and privileges screen.

Initial role grants for administrators

The sysadmin role is initially not granted to any users. To add trusted users to the role initially, you must list them in the starburst.access-control.authorized-users property on the coordinator, or include them in a group configured in the starburst.access-control.authorized-groups property, also on the coordinator.

Once your initial sysadmin members have been established, they can add or remove users from roles through the Roles screen in the web UI by selecting the sysadmin user, and clicking the Assign icon.

Users granted the sysadmin role through the UI are not added to the starburst.access-control.authorized-users or starburst.access-control.authorized-groups properties. Rather, the list of users added through the UI is maintained separately, and is in addition to the users specified via those configuration properties. The set of users specified via the configuration properties takes precedence over the list of users added through the UI.

The built-in sysadmin role is granted all UI privileges, and its privileges are not modifiable.

Control access for other users

As with any RBAC-based system, roles are granted to users, and privileges are granted to roles. SEP’s built-in access control system is no different. Along with the ability to provide access control for data sources, it also provides UI entities that represent the various screens in the web UI. These UI entity privileges are granted the normal way through the Roles and privileges screen.

For example, you can create a role called insights_users, add the desired list of users to that role, click the Details icon, and then click the Add privileges button. In the Add privileges screen that results, select the User interface radio button for the privilege type.

Next, check the Overview, Query overview, Cluster history, and Usage metrics checkboxes from the dropdown. Ensure that Allow and Show are selected, and click Save privileges. All users granted the insights_users role now have access to those screens.

Note

You can also create a role to explicitly deny access to certain screens for certain users using a Deny policy. Deny policies override any Allow privileges for a given entity and role.

Login screen

The behavior and look of the login screen are affected by your authentication method and by available customizations.

Authentication

The authentication flow in the web UI depends upon your cluster’s configured authentication method. If your organization uses one of the supported SSO options to authenticate users, the login screen contains a Sign in with SSO button instead of username and password fields. No action beyond configuring the http-server.authentication.type and web-ui.authentication.type properties on the coordinator is required.

Customize the login screen

Customizations are available for the login screen itself no matter what authentication screen is presented. You must assume the the sysadmin in order to access the Settings menu option in the collapsed caret menu in the upper right, which opens the Customized Login screen.

In the customized login screen, you can upload a logo and add or delete a banner message.