Hue Authentication
This page describes properties in the Hue configuration file, hue.ini, that support authentication and Hue security in general.
Continue reading:
For information on configuring Hue with Kerberos, , encrypting session communication, and enabling single sign-on with SAML, see:
Enabling LDAP Authentication with HiveServer2 and Impala
LDAP authentication with HiveServer2 and Impala can be enabled by setting the following properties under their respective sections in hue.ini, [beeswax] and [impala].
auth_username | LDAP username of Hue user to be authenticated. |
auth_password |
LDAP password of Hue user to be authenticated. |
These login details are only used by Impala and Hive to authenticate to LDAP. The Impala and Hive services trust Hue to have already validated the user being impersonated, rather than simply passing on the credentials.
Securing Sessions
When a session expires, the screen blurs and the user is automatically logged out of the Hue Web UI. Logging on returns the user to same location.
Session Timeout
User sessions are controlled with the ttl (time-to-live) property under [desktop]> [[session]] in hue.ini. After n seconds, the session expires whether active or not.
ttl |
The cookie with the users session ID expires after n seconds. Default: ttl=1209600 which is 60*60*24*14 seconds or 2 weeks |
Idle Session Timeout
Idle sessions are controlled with the idle_session_timeout property under [desktop] > [[auth]] in hue.ini. Sessions that are idle for n seconds, expire. You can disable this property by setting it to a negative value.
idle_session_timeout |
The cookie with the users session ID expires after idle for n seconds. Set to a negative value to prevent idle sessions from timing out. For example: idle_session_timeout=900 means that sessions expire after being idle for 15 minutes idle_session_timeout=-1 means that idle sessions do not expire (until ttl) |
Secure Cookies
Secure session cookies can be enabled by specifying the secure configuration property under the [desktop]> [[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.
secure |
The cookie with the user session ID is secure. Should only be enabled with HTTPS. Default: false |
http-only |
The cookie with the user session ID session ID uses the HTTP only flag. Default: false |
expire_at_browser_close |
Use session-length cookies. Logs out the user when the browser window is closed. Default: false |
Allowed HTTP Methods
You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.
http_allowed_methods |
Default: options,get,head,post,put,delete,connect |
Restricting the Cipher List
Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.
ssl_cipher_list |
Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2 |
URL Redirect Whitelist
Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.
redirect_whitelist | For example, to restrict users to your local domain and FQDN, the following value can be used: ^\/.*$,^http:\/\/www.mydomain.com\/.*$ |
Oozie Permissions
Groups Property in UI | Description |
---|---|
oozie.dashboard_jobs_access | Enable Oozie Dashboard read-only access for all jobs.
Default: true |
oozie.disable_editor_access | Disable Oozie Editor access.
Default: false |