Cloudera Docs

Step 8: (Optional) Enable authentication for HTTP web consoles for Hadoop roles

Authentication for access to the web consoles for the HDFS and YARN roles can be enabled using a configuration option for the appropriate service.

Minimum Required Role: Configurator (also provided by Cluster Administrator, Limited Cluster Administrator , and Full Administrator)

  1. On the Clusters tab, select the service (HDFS or YARN) for which you want to enable authentication.
  2. Click the Configuration tab.
  3. Select Scope > service name Service-Wide.
  4. Type Enable Kerberos in the Search box.
  5. Select Enable Kerberos Authentication for HTTP Web-Consoles.
  6. elect Enable Kerberos Authentication for HTTP Web-Consoles.
  7. Enter a Reason for change, then click Save Changes to commit the changes.
  8. When the command finishes, restart all roles of that service.

Enabling SPNEGO as an Authentication Backend for Hue

Set up Cloudera Manager authentication backend and configure Kerberos keytab for Hue service.

  1. In Cloudera Manager, set the authentication backend to SpnegoDjangoBackend.
    1. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    2. Click the Configuration tab.
    3. Select Scope > Service-Wide.
    4. Select Category > Security.
    5. Locate the Authentication Backend property and select desktop.auth.backend.SpnegoDjangoBackend.
    6. Click Save Changes.
  2. Restart the Hue service.
  3. If you are using an external load balancer, perform the following steps, otherwise skip the remaining steps. Cloudera Manager creates these configuration automatically:
    1. Obtain or create a Kerberos keytab that includes keys for the load balancer host’s HTTP service principal and for any other DNS hostnames or aliases a client might use to connect to Hue.

      For example, if clients need to bypass the external load balancer and connect to Hue instances directly, the keytab must include all associated HTTP principals.

      klist -kte custom-hue-spnego.keytab

Keytab name: FILE: custom-hue-spnego.keytab
KVNO Timestamp Principal

1 03/09/15 20:20:35 HTTP/load-balancer.example.cloudera.com@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
1 03/09/15 20:20:36 HTTP/huehost1.example.cloudera.com@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
1 03/09/15 20:20:36 HTTP/huehost2.example.cloudera.com@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
      For principals not managed by Cloudera Manager, you must contact your organization's KDC administrator for help with keytab creation.
    2. Copy the custom-hue-spnego.keytab file to /var/lib/hue/hue.keytab and change ownership to the hue user and group. 
      cp ./custom-hue-spnego.keytab /var/lib/hue/hue.keytab
chown hue:hue /var/lib/hue/hue.keytab
    3. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    4. Click the Configuration tab.
    5. Select Scope > Service-Wide.
    6. Select Category > Advanced.
    7. Locate the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property and add the following line: 
      KRB5_KTNAME=/var/lib/hue/hue.keytab
    8. Enter a Reason for change, then click Save Changes to commit the changes.
    9. Restart the Hue service.