Cloudera Docs

Step 9: (Optional) Enable authentication for HTTP web consoles for Hadoop roles

Authentication for access to the web consoles for the HDFS and YARN roles can be enabled using a configuration option for the appropriate service.

Minimum Required Role: Configurator (also provided by Cluster Administrator, Limited Cluster Administrator , and Full Administrator)

  1. On the Clusters tab, select the service (HDFS or YARN) for which you want to enable authentication.
  2. Click the Configuration tab.
  3. Select Scope > service name Service-Wide.
  4. Type Enable Kerberos in the Search box.
  5. Select Enable Kerberos Authentication for HTTP Web-Consoles.
  6. elect Enable Kerberos Authentication for HTTP Web-Consoles.
  7. Enter a Reason for change, then click Save Changes to commit the changes.
  8. When the command finishes, restart all roles of that service.

Enabling SPNEGO as an Authentication Backend for Hue

  1. In Cloudera Manager, set the authentication backend to SpnegoDjangoBackend.
    1. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    2. Click the Configuration tab.
    3. Select Scope > Service-Wide.
    4. Select Category > Security.
    5. Locate the Authentication Backend property and select desktop.auth.backend.SpnegoDjangoBackend.
    6. Click Save Changes.
  2. Restart the Hue service.
  3. If you are using an external load balancer, perform the following steps, otherwise skip the remaining steps. Cloudera Manager creates these configuration automatically:
    1. On the host running the Hue Kerberos Ticket Renewer, switch to the KT_RENEWER process directory. For example: 
      cd /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/    \
| awk '{print $9}' |grep KT_RENEWER| tail -1`/
    2. Verify that the Hue keytab includes the HTTP principal. 
      klist -kte ./hue.keytab

Keytab name: FILE:./hue.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 03/09/15 20:20:35 hue/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
1 03/09/15 20:20:36 HTTP/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
    3. Copy the hue.keytab file to /var/lib/hue and change ownership to the hue user and group. 
      cp ./hue.keytab /var/lib/hue/
chown hue:hue /var/lib/hue/hue.keytab
    4. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    5. Click the Configuration tab.
    6. Select Scope > Service-Wide.
    7. Select Category > Advanced.
    8. Locate the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property and add the following line: 
      KRB5_KTNAME=/var/lib/hue/hue.keytab
    9. Enter a Reason for change, then click Save Changes to commit the changes.
    10. Restart the Hue service.