Hue User Permissions
Users who log on to the Hue UI must have permission to use Hue, and also, each CDH service accessible within Hue.
A common configuration is for Hue users to be authenticated with an LDAP server and CDH users with Kerberos. These users can differ. For example, CDH services do not authenticate each user who logs on to Hue. Rather, they authenticate Hue and trust that Hue has authenticated its users.
Once Hue is authenticated by a service (for example, Hive), Hue impersonates the user (doAs) requesting use of that service (for example, to create a table). The service uses Sentry (essentially a chmod tool) to ensure the group to which that user belongs is authorized for that action.
Hue user permissions are at the application level only. For example, a Hue superuser can filter Hue user access to a CDH service but cannot authorize the use of its features. Again, Sentry does that. Learn how to Authorize Hue User Groups with Sentry.
Hue Superusers
The Hue User Admin application provides two levels of privileges: users and superusers.
Users can change their name, email address, and password. They can login to Hue and run Hue applications according to their group permissions.
- Add and delete users and groups
- Import and sync users and groups from an LDAP server
- Assign group permissions
- Promote users to superusers and vice versa.
Hue superusers have no special privileges to the underlying CDH cluster services. Sentry is used to add those privileges.
How to Assign Superuser Status to an LDAP User
- With the AllowAllBackend temporarily enabled, assign superuser status and Synchronize One User.
- With the LdapBackend enabled, run a Hue shell command to apply superuser status.
- Enable multiple backends so that the first user to log on still works when integrated with LDAP.
Hue Applications and Permissions
Hue is a gateway to (and web-based UI for) the following CDH cluster services.
Hue Applications
These CDH services are available in Hue. Currently, Spark is only available upstream.
Hue App | Sentry | App Dependencies |
---|---|---|
HBase | HBase Browser | |
HDFS | Core, File Browser | |
Hive | Metastore Tables, Hive Editor | |
Impala | Metastore Tables, Impala Editor | |
MapRed / YARN | Job Browser, Job Designer, Oozie, Hive Editor, Pig, Sqoop | |
Oozie | Job Designer, Oozie Editor/Dashboard | |
Pig | Pig Editor, Oozie | |
Sentry | Solr Search | |
Solr (Search) | Hadoop Security | |
Spark | Spark | |
Sqoop 2 | Sqoop Transfer |
Hue Permissions
Hue application permissions are composed of name.permission:action.
- Hue application name = filebrowser
- Permissions = access (as in, execute)
- Action = Launch this application (the HDFS filebrowser).
- Process ID in Hue database (3).
Hue App | Permission | rwx | Action Description |
---|---|---|---|
about | access | --x | Launch this application |
beeswax | access | --x | Launch this application |
dashboard | access | --x | Launch this application |
filebrowser | access | --x | Launch this application |
filebrowser | s3_access | --x | Access to S3 from filebrowser and filepicker |
help | access | --x | Launch this application |
impala | access | --x | Launch this application |
indexer | access | --x | Launch this application |
jobbrowser | access | --x | Launch this application |
jobsub | access | --x | Launch this application |
metadata | access | --x | Launch this application |
metadata | write | -w- | Allow edition of metadata like tags |
metastore | access | --x | Launch this application |
metastore | write | -w- | Allow DDL operations. Need the app access too |
notebook | access | --x | Launch this application |
oozie | access | --x | Launch this application |
oozie | dashboard_jobs_access | --x | Oozie Dashboard read-only user for all jobs |
oozie | disable_editor_access | --x | Disable Oozie Editor access |
pig | access | --x | Launch this application |
proxy | access | --x | Launch this application |
rdbms | access | --x | Launch this application |
search | access | --x | Launch this application |
security | access | --x | Launch this application |
security | impersonate | Let a user impersonate another user when listing objects like files or tables | |
sqoop | access | --x | Launch this application |
useradmin | access_view:useradmin:edit_user | rwx | Access to profile page on User Admin |
useradmin | access_view:useradmin:view_user | rwx | Access to any profile page on User Admin |
useradmin | access | --x | Launch this application |