This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Hue Security Configuration

The following sections describe how to configure Hue CDH 5 with Kerberos security, enabling single sign-on with SAML and encrypting communication between Hue and other services among other available configuration settings.


To enable Hue to work with Kerberos security on your Hadoop cluster, make sure you perform the installation and configuration steps in Configuring Hadoop Security in CDH 5.

Hue Security Enhancements

Enabling SSL Communication with HiveServer2

By providing a CA certificate, private key, and public certificate, Hue can communicate with HiveServer2 over SSL. You can now configure the following properties in the [beeswax] section under [[ssl]] in the Hue configuration file, hue.ini.

Choose to enable/disable SSL communication for this server.

Default: false


Path to Certificate Authority certificates.

Default: /etc/hue/cacerts.pem


Path to the private key file.

Default: /etc/hue/key.pem


Path to the public certificate file.

Default: /etc/hue/cert.pem


Choose whether Hue should validate certificates received from the server.

Default: true

Secure Database Connection

Connections vary depending on the database. Hue uses different clients to communicate with each database internally. They all specify a common interface known as the DBAPI version 2 interface. Client specific options, such as secure connectivity, can be passed through the interface. For example, for MySQL you can enable SSL communication by specifying the options configuration property under the desktop>[[database]] section in hue.ini.


Session Timeout

Session timeouts can be set by specifying the ttl configuration property under the [desktop]>[[session]] section in hue.ini.


The cookie containing the users' session ID will expire after this amount of time in seconds.

Default: 60*60*24*14

Secure Cookies

Secure session cookies can be enable by specifying the secure configuration property under the [desktop]>[[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.


The cookie containing the users' session ID will be secure. Should only be enabled with HTTPS.

Default: false


The cookie containing the users' session ID will use the HTTP only flag.

Default: false

Allowed HTTP Methods

You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.


Default: options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.


Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL Redirect Whitelist

Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.


For example, to restrict users to your local domain and FQDN, the following value can be used:

Page generated September 3, 2015.