Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Authentication for access to the HDFS, MapReduce, and YARN roles' web consoles can be enabled using a configuration option for the appropriate service. To enable this authentication:
  1. From the Clusters tab, select the service (HDFS, MapReduce, or YARN) for which you want to enable authentication.
  2. Click the Configuration tab.
  3. Select Scope > service name Service-Wide.
  4. Select Category > Security.
  5. Type Enable Kerberos in the Search box.
  6. Select Enable Kerberos Authentication for HTTP Web-Consoles.
  7. Click Save Changes to commit the changes.
  8. When the command finishes, restart all roles of that service.

Enabling SPNEGO as an Authentication Backend for Hue

To enable SPNEGO authentication:
  1. In Cloudera Manager, set the authentication backend to SpnegoDjangoBackend.
    1. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    2. Click the Configuration tab.
    3. Select Scope > Service-Wide.
    4. Select Category > Security.
    5. Locate the Authentication Backend property and select desktop.auth.backend.SpnegoDjangoBackend.
    6. Click Save Changes.
  2. Restart the Hue service.
  3. On the host running the Hue Kerberos Ticket Renewer, switch to the KT_RENEWER process directory. For example:
    cd /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/    \
    | awk '{print $9}' |grep KT_RENEWER| tail -1`/
  4. Verify that the Hue keytab includes the HTTP principal.
    klist -kte ./hue.keytab
    
    Keytab name: FILE:./hue.keytab
    KVNO Timestamp Principal
    ---- ----------------- --------------------------------------------------------
    1 03/09/15 20:20:35 hue/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
    1 03/09/15 20:20:36 HTTP/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
  5. Copy the hue.keytab file to /var/lib/hue and change ownership to the hue user and group.
    $ cp ./hue.keytab /var/lib/hue/
    $ chown hue:hue /var/lib/hue/hue.keytab
  6. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
  7. Click the Configuration tab.
  8. Select Scope > Service-Wide.
  9. Select Category > Advanced.
  10. Locate the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property and add the following line:
    KRB5_KTNAME=/var/lib/hue/hue.keytab
  11. Click Save Changes to commit the changes.
  12. Restart the Hue service.