Setting up a Hue service account with a custom name

In Cloudera, “hue” username is the default machine user and group name for Hue. You can create a custom machine user and group name on the Hue cluster and then specify them in the Hue configurations in Cloudera Manager.

  1. SSH into the Hue server host as a user with sudo privileges
  2. Create a new group for your custom Hue user account by running the following command:
    sudo groupadd[***NEW-HUE-GROUP-NAME***]
    Replace [***NEW-HUE-GROUP-NAME***] with the custom group name you want to use.
  3. Create a new user and assign it to the newly created group by running the following command:
    sudo useradd -G [***NEW-HUE-GROUP-NAME***] -m [***NEW-HUE-USER-NAME***] -s /usr/sbin/nologin
    
    The new user is stored in the /etc/passwd file, and group is stored in the /etc/group file.
  4. Verify that the new user exists within the newly created group by running the following command:
    grep [***NEW-HUE-USER-NAME***] /etc/passwd
  5. Change the ownership of the Hue directories as follows:
    sudo chown -R [***NEW-HUE-USER-NAME***]:[***NEW-HUE-GROUP-NAME***] /var/log/hue
    sudo chown -R [***NEW-HUE-USER-NAME***]:[***NEW-HUE-GROUP-NAME***] /var/log/hue-httpd
    sudo chown -R [***NEW-HUE-USER-NAME***]:[***NEW-HUE-GROUP-NAME***] /tmp/hue_*
  6. Modify the Hue configuration in Cloudera Manager as follows:
    1. Log in to Cloudera Manager as an Administrator.
    2. Go to Clusters > Hue > Configuration.
    3. Specify the custom group name you created earlier[***NEW-HUE-GROUP-NAME***] in the Default User Group field.
    4. Specify the custom user name you created earlier[***NEW-HUE-USER-NAME***] in the System User field.
    5. Specify the custom group name you created earlier[***NEW-HUE-GROUP-NAME***] in the System Group field.
    6. Add the following lines in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field.
      [desktop]
      server_user=[***NEW-HUE-USER-NAME***]
      server_group=[***NEW-HUE-GROUP-NAME***]
      default_user=[***NEW-HUE-USER-NAME***]
    7. Click Save Changes.
    8. Restart the Hue service.
  7. Tail the /var/log/hue/rungunicornserver.log log file for any issues.
  8. Change the permissions of the Hue home directory as follows:
    sudo cd /opt/cloudera/parcels/CDH/lib/
    sudo chown -R [***NEW-HUE-USER-NAME***]:[***NEW-HUE-GROUP-NAME***]hue
  9. Change the permissions of the process directory as follows:
    sudo cd /var/run/cloudera-scm-agent/
    sudo setfacl -Rm user:[***NEW-HUE-USER-NAME***]:rwx process
    
  10. Verify Access Control List (ACL) changes by running the following command:
    getfacl process
    

To validate newly configured custom user and group

Run the following Python script on your Hue hosts to validate that the new user and group names are valid and configured correctly.

This script requires you to input the user (uid) and group (gid) IDs corresponding to the custom user and group names you created and displays the effective user and group IDs that are in use. You must ensure that the user belongs to the same group while specifying the uid and gid. The script displays the “Permission denied: Operation not permitted” error if there is a mismatch between the user ID and the group ID :

import os
def change_user_and_group(euid, egid):
    try:
        # Change the effective group ID
        os.setegid(egid)
        print(f"Effective Group ID changed to: {egid}")
        # Change the effective user ID
        os.seteuid(euid)
        print(f"Effective User ID changed to: {euid}")
        # Verify changes
        print(f"Current Effective User ID: {os.geteuid()}")
        print(f"Current Effective Group ID: {os.getegid()}")
    except PermissionError as e:
        print(f"Permission denied: {e}")
    except Exception as e:
        print(f"An error occurred: {e}")
 
if __name__ == "__main__":
    # Replace with actual user and group IDs that you want to switch to
    # Change `new_euid` to the user ID (UID) of the custom user you created.
    # Change `new_egid` to the group ID (GID) of the custom group you created.
    # Example: new_euid = 1001  # Non-root user ID
    #          new_egid = 1001  # Non-root group ID
    new_euid = 1001  # Replace with the new user ID (UID)
    new_egid = 1001  # Replace with the new group ID (GID)
    change_user_and_group(new_euid, new_egid)