Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Configuring Hue

Before you can configure Hue to work with an HDP cluster that is configured for Kerberos, you must refer to and complete the instructions for Configuring Ambari and Hadoop for Kerberos or Setting Up Kerberos Security for Manual Installs.

To enable Hue to work with an HDP cluster configured for Kerberos, make the following changes to Hue and Kerberos.:

  1. Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, create a principal for the Hue server:

    # kadmin.local
    kadmin.local: addprinc -randkey hue/$FQDN@EXAMPLE.COM
  2. Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, generate a keytab for the Hue principal:

    kadmin.local: xst -k hue.service.keytab hue/$FQDN@EXAMPLE.COM
  3. Put the hue.service.keytab file on the host where the Hue server is installed, in the directory /etc/security/keytabs.

  4. Set the permissions and ownership of the /etc/security/keytabs/hue.service.keytab file as follows:

    chown hue:hadoop /etc/security/keytabs/hue.service.keytab 
    chmod 600 /etc/security/keytabs/hue.service.keytab
  5. Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, use kinit to confirm that the /etc/security/keytabs/hue.service.keytab file is accessible to Hue:

    su - hue kinit -k -t /etc/security/keytabs/hue.service.keytab hue/$FQDN@EXAMPLE.COM
  6. Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, add the following to the [kerberos] section in the /etc/hue/conf/hue.ini configuration file:

    [[kerberos]] 
    # Path to Hue's Kerberos keytab file
    hue_keytab=/etc/security/keytabs/hue.service.keytab 
    # Kerberos principal name for Hue 
    hue_principal=hue/$FQDN@EXAMPLE.COM
  7. Set the path to kinit, based on the OS.

    If you do not know the full path to kinit, you can find it by issuing the command where is kinit.

    The following is an example of setting the path to kinit for RHEL/CentOS 6.x:

    # Path to kinit 
    # For RHEL/CentOS 6.x, kinit_path is /usr/bin/kinit
    kinit_path=/usr/kerberos/bin/kinit
  8. Optionally, for faster performance, you can keep Kerberos credentials cached:

    ccache_path=/tmp/hue_krb5_ccache
  9. Edit the /etc/hue/conf/hue.ini configuration file and set set security_enabled=true for every component in the configuration file.

  10. Save the /etc/hue/conf/hue.ini configuration file.

  11. Restart Hue:

    # /etc/init.d/hue start
  12. Validate the Hue installation.

    1. To view the current configuration of your Hue server, select About > Configuration or http://hue.server:8000/dump_config.

    2. To ensure that Hue server was configured properly, select About > Check for misconfiguration or http://hue.server:8000/debug/check_config.

      If you detect any potential misconfiguration, fix it and restart Hue.