Skip to content

Web Service Nodes Installation

Audience: System Administrators

Content Summary: Web Service nodes run the Immuta Web Service. The Immuta Web Service is a NodeJS application that consists of a REST API and a client-side web application. Multiple Web Service nodes are supported. Follow these instructions on each Web Service node.

Web Service Node Environment Setup

The following variables will be used throughout the installation of the Web Service:

  • IMMUTA_FEATURE_PASSWORD: password for the Immuta feature_service user.
  • IMMUTA_METADATA_PASSWORD: password for the Immuta bometadata user.
  • QUERY_ENGINE_HOSTNAME: hostname for the Immuta query engine.
  • IMMUTA_BASE_URL: base URL for the Immuta Web Service. See determining the Immuta base URL.
  • WORKER_COUNT: number of worker processors to run. This should usually be the number of processors on your server. Run echo $(lscpu | grep '^CPU(s):' | awk '{print $2}') to determine what this should be set to. This must be at least 2, but should usually be set no higher than 8.
  • PATH_TO_CA: path to the CA certificate.
  • PATH_TO_PRIVATE_KEY: path to the private key nginx will use for TLS.
  • PATH_TO_CERT: path to the certificate nginx will use for TLS.

Export these as environment variables before beginning the setup:

export WORKER_COUNT=WORKER_COUNT
export PATH_TO_CA=/etc/pki/tls/certs/ca-bundle.crt
export PATH_TO_PRIVATE_KEY=<path to private key>
export PATH_TO_CERT=<path to cert>

Notes:

Web Service Node Package Installation

The following command must be run as root:

yum install immuta immuta-fingerprint nginx memcached

Note: The Immuta RPM will create an immuta user if one does not already exist.

If the yum install command fails with an error message about libntlm then you may need to enable the rhui-REGION-rhel-server-releases-optional repository.

Web Service Node Setup and Configuration

This section will walk you through configuring the Immuta Web Service and supporting services.

Immuta configuration needs to be updated with the database hostnames and passwords.

The following commands must be run as root:

sed -i "/immutaDb/,/host/s/localhost/${QUERY_ENGINE_HOSTNAME}/" /etc/immuta/config.yml
sed -i "/featureStoreDb/,/host/s/#host: localhost/host: ${QUERY_ENGINE_HOSTNAME}/" \
    /etc/immuta/config.yml
sed -i "s/__bometadata_password__/${IMMUTA_METADATA_PASSWORD}/" /etc/immuta/config.yml
sed -i "s/__immuta_password__/${IMMUTA_FEATURE_PASSWORD}/" /etc/immuta/config.yml
sed -i "/publicImmutaUrl/c\publicImmutaUrl: ${IMMUTA_BASE_URL}" /etc/immuta/config.yml
sed -i '/^databases:/,/^cache:/s/#*ssl: false/ssl: true/' /etc/immuta/config.yml

Before starting the Web Service, set the WORKER_COUNT in the system configuration for the Immuta service.

The following command must be run as root:

sed -i "/\<WORKER_COUNT\>=/c\WORKER_COUNT=${WORKER_COUNT}" /etc/sysconfig/immuta

Memcached should be configured to listen only on the loopback interface. This can be accomplished by updating /etc/sysconfig/memcached and updating the OPTIONS variable. Next, enable memcached in the Immuta configuration. Uncomment cache in the server section of /etc/immuta/config.yml.

The following commands must be run as root:

sed -i '/OPTIONS/{;/-l/n;s/""/"-l localhost"/}' /etc/sysconfig/memcached
sed -i  "/^[ ]\{4\}#cache:/,/partition/s/#//" /etc/immuta/config.yml

Nginx is used as a reverse proxy for the Immuta web service listening on the loopback interface. Configure nginx by creating or replacing /etc/nginx/nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;
    sendfile on;
    keepalive_timeout 65;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    client_max_body_size 1g;

    upstream local_service {
        server localhost:8080;
    }

    server {
        listen *:8443 ssl;
        ssl_certificate /etc/nginx/tls/server.crt;
        ssl_certificate_key /etc/nginx/tls/server.key;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        location / {
            proxy_pass http://local_service;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
        }
    }

    upstream web_service {
        server localhost:8443;
    }

    server {
        listen *:443 ssl;
        ssl_certificate /etc/nginx/tls/server.crt;
        ssl_certificate_key /etc/nginx/tls/server.key;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        location / {
            proxy_pass https://web_service;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
        }
    }
}

Copy the TLS certificates into the /etc/nginx/tls directory. Ensure that they are readable by the nginx user. The private keys should not be readable by group or other.

The following commands must be run as root:

mkdir -p /etc/nginx/tls
chown nginx: /etc/nginx/tls
cp "${PATH_TO_CERT}" /etc/nginx/tls/server.crt
cp "${PATH_TO_PRIVATE_KEY}" /etc/nginx/tls/server.key
chmod 600 /etc/nginx/tls/server.key
chown nginx: /etc/nginx/tls/*

If SELinux is enabled, ensure that nginx can communicate over the network.

The following command must be run as root:

setsebool -P  httpd_can_network_connect 1

Finally, enable and start theimmuta, immuta-fingerprint, memcached, and nginx services.

The following commands must be run as root:

systemctl enable memcached
systemctl start memcached

systemctl enable nginx
systemctl start nginx

systemctl enable immuta-fingerprint
systemctl start immuta-fingerprint

systemctl enable immuta
systemctl start immuta