Hue Authentication

The following sections describe how to configure Hue CDH 5 with Kerberos security, enabling single sign-on with SAML and encrypting communication between Hue and other services among other available configuration settings.

Hue Security Enhancements

Enabling SSL Communication with HiveServer2

By providing a CA certificate, private key, and public certificate, Hue can communicate with HiveServer2 over SSL. You can now configure the following properties in the [beeswax] section under [[ssl]] in the Hue configuration file, hue.ini.

`enabled`	Choose to enable/disable SSL communication for this server. Default: `false`
`cacerts`	Path to Certificate Authority certificates. Default: `/etc/hue/cacerts.pem`
`key`	Path to the private key file. Default: `/etc/hue/key.pem`
`cert`	Path to the public certificate file. Default: `/etc/hue/cert.pem`
`validate`	Choose whether Hue should validate certificates received from the server. Default: `true`

Enabling LDAP Authentication with HiveServer2 and Impala

LDAP authentication with HiveServer2 and Impala can be enabled by setting the following properties under the [desktop] section in hue.ini.

`ldap_username`	LDAP username of the Hue user to be authenticated.
`ldap_password`	LDAP password for the Hue user to be authenticated.

Secure Database Connection

Connections vary depending on the database. Hue uses different clients to communicate with each database internally. They all specify a common interface known as the DBAPI version 2 interface. Client specific options, such as secure connectivity, can be passed through the interface. For example, for MySQL you can enable SSL communication by specifying the options configuration property under the desktop>[[database]] section in hue.ini.

[desktop] 
  [[databases]] 
    … 
    options={"ssl":{"ca":"/tmp/ca-cert.pem"}}

Session Timeout

Session timeouts can be set by specifying the ttl configuration property under the [desktop]>[[session]] section in hue.ini.

ttl

The cookie containing the users' session ID will expire after this amount of time in seconds.

Default: 60*60*24*14

Secure Cookies

Secure session cookies can be enable by specifying the secure configuration property under the [desktop]>[[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.

secure

The cookie containing the users' session ID will be secure. Should only be enabled with HTTPS.

Default: false

http-only

The cookie containing the users' session ID will use the HTTP only flag.

Default: false

Allowed HTTP Methods

You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.

http_allowed_methods

Default: options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.

ssl_cipher_list

Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL Redirect Whitelist

Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.

redirect_whitelist

For example, to restrict users to your local domain and FQDN, the following value can be used:

^\/.*$,^http:\/\/www.mydomain.com\/.*$

HttpFS Authentication

Configuring Kerberos Authentication for Hue