Hue Authentication

The following sections describe how to configure Kerberos security, enable single sign-on with SAML and encrypt session communication between Hue and other CDH services.

Hue Security Enhancements

Enabling LDAP Authentication with HiveServer2 and Impala

LDAP authentication with HiveServer2 and Impala can be enabled by setting the following properties under the [desktop] section in hue.ini.
ldap_username LDAP username of the Hue user to be authenticated.
ldap_password

LDAP password for the Hue user to be authenticated.

These login details are only used by Impala and Hive to authenticate to LDAP. The Impala and Hive services trust Hue to have already validated the user being impersonated, rather than simply passing on the credentials.

Session Timeout

Session timeouts can be set by specifying the ttl configuration property under the [desktop]>[[session]] section in hue.ini.

ttl

The cookie containing the users' session ID will expire after this amount of time in seconds.

Default: 60*60*24*14

Secure Cookies

Secure session cookies can be enable by specifying the secure configuration property under the [desktop]>[[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.

secure

The cookie containing the users' session ID will be secure. Should only be enabled with HTTPS.

Default: false

http-only

The cookie containing the users' session ID will use the HTTP only flag.

Default: false

Allowed HTTP Methods

You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.

http_allowed_methods

Default: options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.

ssl_cipher_list

Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL Redirect Whitelist

Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.

redirect_whitelist

For example, to restrict users to your local domain and FQDN, the following value can be used:

^\/.*$,^http:\/\/www.mydomain.com\/.*$