Configuring Hue
Before you can configure Hue to work with an HDP cluster that is configured for Kerberos, you must refer to and complete the instructions for Configuring Ambari and Hadoop for Kerberos or Setting Up Kerberos Security for Manual Installs.
To enable Hue to work with an HDP cluster configured for Kerberos, make the following changes to Hue and Kerberos.:
Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, create a principal for the Hue server:
# kadmin.local kadmin.local: addprinc -randkey hue/$FQDN@EXAMPLE.COM
Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, generate a keytab for the Hue principal:
kadmin.local: xst -k hue.service.keytab hue/$FQDN@EXAMPLE.COM
Put the
hue.service.keytab
file on the host where the Hue server is installed, in the directory/etc/security/keytabs
.Set the permissions and ownership of the
/etc/security/keytabs/hue.service.keytab
file as follows:chown hue:hadoop /etc/security/keytabs/hue.service.keytab chmod 600 /etc/security/keytabs/hue.service.keytab
Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, use kinit to confirm that the
/etc/security/keytabs/hue.service.keytab
file is accessible to Hue:su - hue kinit -k -t /etc/security/keytabs/hue.service.keytab hue/$FQDN@EXAMPLE.COM
Where $FQDN is the host name of the Hue server and EXAMPLE.COM is the Hadoop realm, add the following to the [kerberos] section in the
/etc/hue/conf/hue.ini
configuration file:[[kerberos]] # Path to Hue's Kerberos keytab file hue_keytab=/etc/security/keytabs/hue.service.keytab # Kerberos principal name for Hue hue_principal=hue/$FQDN@EXAMPLE.COM
Set the path to kinit, based on the OS.
If you do not know the full path to kinit, you can find it by issuing the command where is kinit.
The following is an example of setting the path to kinit for RHEL/CentOS 6.x:
# Path to kinit # For RHEL/CentOS 6.x, kinit_path is /usr/bin/kinit kinit_path=/usr/kerberos/bin/kinit
Optionally, for faster performance, you can keep Kerberos credentials cached:
ccache_path=/tmp/hue_krb5_ccache
Edit the
/etc/hue/conf/hue.ini
configuration file and set set security_enabled=true for every component in the configuration file.Save the
/etc/hue/conf/hue.ini
configuration file.Restart Hue:
# /etc/init.d/hue start
Validate the Hue installation.
To view the current configuration of your Hue server, select About > Configuration or http://hue.server:8000/dump_config.
To ensure that Hue server was configured properly, select About > Check for misconfiguration or http://hue.server:8000/debug/check_config.
If you detect any potential misconfiguration, fix it and restart Hue.