Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
If you are using a Hue service, you must add a role instance of Kerberos Ticket Renewer to the Hue service to enable Hue to work properly with the secure Hadoop cluster using Cloudera Manager. The Kerberos Ticket Renewer role must be located on the same host as the Hue Server role. You add can the necessary Kerberos Ticket Renewer role instances using Cloudera Manager.
The Hue Kerberos Ticket Renewer service will only renew tickets for the Hue service, for the principal hue/<hostname>@<YOUR-REALM.COM>. The Hue principal is then used to impersonate other users for applications within Hue such as the Job Browser, File Browser and so on.
Other services, such as HDFS and MapReduce, do not use the Hue Kerberos Ticket Renewer. They obtain tickets at startup and use those tickets to obtain Delegation Tokens for various access privileges. Each service handles its own ticket renewal as needed.
- Go to the Hue service.
- Click the Instances tab.
- Click the Add Role Instances button.
- Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.
- When the wizard is finished, the status will display Finished and the Kerberos Ticket Renewer role instance is configured. The Hue service will now work with the secure Hadoop cluster.
- Repeat these steps for each Hue Server role.
Troubleshooting the Kerberos Ticket Renewer:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM