Hi Yugabyte team,
We are trying to enable basic authentication for the YugabyteDB Web UI using the documented flags:
--webserver_password_file=/etc/yugabyte/.htpasswd
--webserver_authentication_domain=YugabyteDB
Environment:
YugabyteDB version: 2025.2.3.0-b149
Component: yb-master
Web UI port: 7000
OS/container: Oracle Linux based container
The .htpasswd file exists on the instance and contains a bcrypt hash for the yugabyte user. The file is readable by the process. (yugabyte:hash)
When these two flags are added to master.conf, yb-master fails to start. The logs show:
Starting webserver on 0.0.0.0:7000
Document root: /opt/yugabyte-2025.2.3.0/www
Webserver: Password file is /etc/yugabyte/.htpasswd
Webserver listen spec is 0.0.0.0:7000
Webserver: Invalid option: global_passwords_file
Webserver: Could not start on address 0.0.0.0:7000
If we remove the authentication flags from master.conf, yb-master starts successfully, ports 7000 and 7100 are listening, and the Web UI returns HTTP 200.
Could you please confirm whether this is a known bug in 2025.2.3.0-b149 and whether there is a fixed version available or planned?
Also, is there any currently supported way to enable authentication for yb-master and yb-tserver Web UI ports 7000 and 9000, or is the recommended approach to protect these ports using an external reverse proxy/auth layer?
Thanks.