Enable Kerberos for authentication
For Hue to work properly with a CDP cluster that uses Kerberos for authentication, the Kerberos Ticket Renewer role must be added to the Hue service. After you have added the Hue service to your cluster, renew the Kerberos ticket for Hue and enable Kerberos for authentication.
Use the Cloudera Manager Admin Console to add the Kerberos Ticket Renewer role to
each host with a Hue Server role instance. The Hue Kerberos Ticket Renewer renews
only those tickets created for the Hue service principal:
hue/hostname@REALM-NAME. The Hue
principal impersonates other users for applications within Hue such as the Job
Browser, File Browser, and so on. Other services, such as HDFS and MapReduce, do not
use the Hue Kerberos Ticket Renewer. Instead these other services handle ticket
renewal as needed by using their own mechanisms.
- On the Cloudera Manager home page, select the Hue service.
- On the Hue service page, click the Instances tab.
- On the Instances page, click Add Role Instances on the right side of the page. This launches the Add Role Instances wizard.
To add a Kerberos Ticket Renewer role instance to the same host that has the
Hue server on your CDP cluster, click Select hosts under
Kerberos Ticket Renewer:
To check which host has the Hue Server role instance, click View By Host, which launches a table that lists all the hosts in your CDP cluster and shows all the roles each host already has.
- In the host selection dialog box, after selecting the host where you want to add the Kerberos Ticket Renewer role instance, click OK, and Cloudera Manager adds the role instance.
- After processing the request to add the role instance, Cloudera Manager returns you to the Instances page and prompts you to restart the service. Click the Restart the service (or the instance)... link so the configuration change can take effect.
After the services have restarted, click Finish to
return to the Instances page.
Repeat these steps for each Hue Server role on your cluster.
Troubleshooting the Kerberos Ticket Renewer:
If the Hue Kerberos Ticket Renewer does not start, check the configuration of your
Kerberos Key Distribution Center (KDC). Look at the ticket renewal property,
maxrenewlife, to ensure that the principals,
krbtgt, are renewable. If these principals are not renewable,
run the following commands on the KDC to enable them:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/<YOUR_REALM.COM>
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<host_name>@<YOUR_REALM>