Hue Security Configuration
The following sections describe how to configure Hue CDH 5 with Kerberos security, enabling single sign-on with SAML and encrypting communication between Hue and other services among other available configuration settings.
To enable Hue to work with Kerberos security on your Hadoop cluster, make sure you perform the installation and configuration steps in Configuring Hadoop Security in CDH 5.
Hue Security Enhancements
Enabling SSL Communication with HiveServer2
enabled |
Choose to enable/disable SSL communication for this server. Default: false |
cacerts |
Path to Certificate Authority certificates. Default: /etc/hue/cacerts.pem |
key |
Path to the private key file. Default: /etc/hue/key.pem |
cert |
Path to the public certificate file. Default: /etc/hue/cert.pem |
validate |
Choose whether Hue should validate certificates received from the server. Default: true |
Secure Database Connection
Connections vary depending on the database. Hue uses different clients to communicate with each database internally. They all specify a common interface known as the DBAPI version 2 interface. Client specific options, such as secure connectivity, can be passed through the interface. For example, for MySQL you can enable SSL communication by specifying the options configuration property under the desktop>[[database]] section in hue.ini.
[desktop] [[databases]] … options={"ssl":{"ca":"/tmp/ca-cert.pem"}}
Session Timeout
Session timeouts can be set by specifying the ttl configuration property under the [desktop]>[[session]] section in hue.ini.
ttl |
The cookie containing the users' session ID will expire after this amount of time in seconds. Default: 60*60*24*14 |
Secure Cookies
Secure session cookies can be enable by specifying the secure configuration property under the [desktop]>[[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.
secure |
The cookie containing the users' session ID will be secure. Should only be enabled with HTTPS. Default: false |
http-only |
The cookie containing the users' session ID will use the HTTP only flag. Default: false |
Allowed HTTP Methods
You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.
http_allowed_methods |
Default: options,get,head,post,put,delete,connect |
Restricting the Cipher List
Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.
ssl_cipher_list |
Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2 |
URL Redirect Whitelist
Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.
redirect_whitelist | For example, to restrict users to your local domain and FQDN, the following value can be used: ^\/.*$,^http:\/\/www.mydomain.com\/.*$ |
<< Writing to a Secure HBase cluster | Configuring Hue to Support Hadoop Security using Kerberos >> | |