Securing sessions

When a Hue session expires, the screen blurs and the user is automatically logged out of the Hue web interface. Logging back on returns the user to the same location in the application.

Session timeout

User sessions are controlled with the ttl (time-to-live) property, which is set in Cloudera Data Warehouse Virtual Warehouses > Edit > CONFIGURATIONS > Hue > Configuration files > hue-safety-valve property as follows:

[desktop]
     [[session]]
     ttl=[***NUMBER-OF-SECONDS***]

The default setting for ttl is 1,209,600 seconds, which equals two weeks. The ttl property determines the length of time that the cookie with the user's session ID lives before expiring. After the ttl setting is reached, the user's session expires whether it is active or not.

Idle session timeout

Idle sessions are controlled with the idle_session_timeout property, which is set in Cloudera Data Warehouse Virtual Warehouses > Edit > CONFIGURATIONS > Hue > Configuration files > hue-safety-valve property as follows:

[desktop]
     [[auth]]
     idle_session_timeout=[***NUMBER-OF-SECONDS***]

Sessions expire that are idle for the number of seconds set for this property. For example, if you set idle_session_timeout=900, sessions expire after being idle for 15 minutes. You can disable the property by setting it to a negative value, like idle-session_timeout=-1.

Secure session login

Session login properties are set under the [desktop] [[auth]] section in Cloudera Data Warehouse Virtual Warehouses > Edit > CONFIGURATIONS > Hue > Configuration files > hue-safety-valve property as follows:

[desktop]
     [[auth]]
     [***SET-SESSION-LOGIN-PARAMETERS-HERE***]

Use the following properties to configure session login behavior:

change_default_password

Valid values: true | false

If this property is set to true, users must change their passwords on first login attempt.

Example:
[desktop]
     [[auth]]
     change_default_password=true

To use this property, you must enable the AllowFirstUserDjangoBackend in Hue. For example:

[desktop]
     [[auth]]
     backend=desktop.auth.backend.AllowFirstUserDjangoBackend
expires_after
Use this property to configure the number of seconds after logout that user accounts are disabled. For example, user accounts are disabled 900 seconds or 15 minutes after logout with the following configuration:
[desktop]
     [[auth]]
     expires_after=900

If you set this property to a negative value, user sessions never expire. For example, expires_after=-1.

expire_superusers Use to expire superuser accounts after the specified number of seconds after logout. For example, expire_superusers=900 causes superuser accounts to expire 15 minutes after logging out.
login_cooloff_time Sets the number of seconds after which failed logins are forgotten. For example, if you set login_cooloff_time=900, a failed login attempt is forgotten after 15 minutes.
login_failure_limit Sets the number of login attempts allowed before a failed login record is created. For example, if you set login_failure_limit=3, a failed login record is created after 3 login attempts.
login_lock_out_at_failure

Valid values: true | false

If set to true:
  • The IP address that is attempting to log in is locked out after exceeding the limit set for login_failure_limit.
  • If login_lock_out_by_combination_user_and_ip is also set to true, both the IP address and the user are locked out after exceeding the limit set for login_failure_limit.
  • If login_lock_out_use_user_agent is also set to true, both the IP address and the agent application (such as a browser) are locked out after exceeding the limit set for login_failure_limit.
login_lock_out_by_combination_user_and_ip

Valid values: true | false

If set to true, both the IP address and the user are locked out after exceeding the limit set for login_failure_limit.

login_lock_out_use_user_agent

Valid values: true | false

If set to true, the agent application (such as a browser) is locked out after exceeding the limit set for login_failure_limit.

Secure session cookies

Session cookie properties are set under the [desktop] [[session]] section in Cloudera Data Warehouse Virtual Warehouses > Edit > CONFIGURATIONS > Hue > Configuration files > hue-safety-valve property as follows:

[desktop]
     [[session]]
     [***SET-SESSION-COOKIE-PROPERTIES-HERE***]

Use the following properties to configure session cookie behavior: