Authenticating Hue users with Kerberos
For Hue to work properly with a CDP cluster that uses Kerberos for authentication, the Kerberos Ticket Renewer role must be added to the Hue service.
Use the Cloudera Manager Admin Console to add the Kerberos Ticket
Renewer role to each host with a Hue Server role instance. The Hue Kerberos Ticket
Renewer renews only those tickets created for the Hue service principal:
hue/hostname@REALM-NAME. The Hue principal
impersonates other users for applications within Hue such as the Job Browser, File
Browser, and so on. Other services, such as HDFS and MapReduce, do not use the Hue
Kerberos Ticket Renewer. Instead these other services handle ticket renewal as needed by
using their own mechanisms.
- On the Cloudera Manager home page, select the Hue service.
- On the Hue service page, click the Instances tab.
- On the Instances page, click Add Role Instances on the right side of the page. This launches the Add Role Instances wizard.
To add a Kerberos Ticket Renewer role instance to the same host that has the Hue
server on your CDP cluster, click Select hosts under Kerberos Ticket
To check which host has the Hue Server role instance, click View By Host, which launches a table that lists all the hosts in your CDP cluster and shows all the roles each host already has.
- In the host selection dialog box, after selecting the host where you want to add the Kerberos Ticket Renewer role instance, click OK, and Cloudera Manager adds the role instance.
- After processing the request to add the role instance, Cloudera Manager returns you to the Instances page and prompts you to restart the service. Click the Restart the service (or the instance)... link so the configuration change can take effect.
After the services have restarted, click Finish to return to
the Instances page.
Repeat these steps for each Hue Server role on your cluster.
Troubleshooting the Kerberos Ticket Renewer:
If the Hue Kerberos Ticket Renewer does not start, check the configuration of your
Kerberos Key Distribution Center (KDC). Look at the ticket renewal property,
maxrenewlife, to ensure that the principals,
are renewable. If these principals are not renewable, run the following commands on the
KDC to enable them:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/<YOUR_REALM.COM> kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<host_name>@<YOUR_REALM>