Enable Kerberos for authentication
For Hue to work properly with a CDP cluster that uses Kerberos for authentication, the Kerberos Ticket Renewer role must be added to the Hue service. After you have added the Hue service to your cluster, renew the Kerberos ticket for Hue and enable Kerberos for authentication.
Use the Cloudera Manager Admin Console to add the Kerberos Ticket Renewer role to
each host with a Hue Server role instance. The Hue Kerberos Ticket Renewer renews
only those tickets created for the Hue service principal:
hue/hostname@REALM-NAME
. The Hue
principal impersonates other users for applications within Hue such as the Job
Browser, File Browser, and so on. Other services, such as HDFS and MapReduce, do not
use the Hue Kerberos Ticket Renewer. Instead these other services handle ticket
renewal as needed by using their own mechanisms.
Troubleshooting the Kerberos Ticket Renewer:
If the Hue Kerberos Ticket Renewer does not start, check the configuration of your
Kerberos Key Distribution Center (KDC). Look at the ticket renewal property,
maxrenewlife
, to ensure that the principals,
hue/<host_name>
and
krbtgt
, are renewable. If these principals are not renewable,
run the following commands on the KDC to enable them:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/<YOUR_REALM.COM>
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<host_name>@<YOUR_REALM>