Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

If you are using a Hue service, you must add a role instance of Kerberos Ticket Renewer to the Hue service to enable Hue to work properly with the secure Hadoop cluster using Cloudera Manager.

The Hue Kerberos Ticket Renewer service will only renew tickets for the Hue service, for the principal hue/<hostname>@<YOUR-REALM.COM>. The Hue principal is then used to impersonate other users for applications within Hue such as the Job Browser, File Browser and so on.

Other services, such as HDFS and MapReduce, do not use the Hue Kerberos Ticket Renewer. They obtain tickets at startup and use those tickets to obtain Delegation Tokens for various access privileges. Each service handles its own ticket renewal as needed.
  1. Go to the Hue service.
  2. Click the Instances tab.
  3. Click the Add Role Instances button.
  4. Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.
  5. When the wizard is finished, the status will display Finished and the Kerberos Ticket Renewer role instance is configured. The Hue service will now work with the secure Hadoop cluster.
Troubleshooting the Kerberos Ticket Renewer:
If the Hue Kerberos Ticket Renewer does not start, check your KDC configuration and the ticket renewal property, maxrenewlife, for the hue/<hostname> and krbtgt principals to ensure they are renewable. If not, running the following commands on the KDC will enable renewable tickets for these principals.
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM