Hue Authentication

This page describes properties in the Hue configuration file, hue.ini, that support authentication and Hue security in general.

For information on configuring Hue with Kerberos, , encrypting session communication, and enabling single sign-on with SAML, see:

Enabling LDAP Authentication with HiveServer2 and Impala

LDAP authentication with HiveServer2 and Impala can be enabled by setting the following properties under their respective sections in hue.ini, [beeswax] and [impala].

auth_username LDAP username of Hue user to be authenticated.
auth_password

LDAP password of Hue user to be authenticated.

These login details are only used by Impala and Hive to authenticate to LDAP. The Impala and Hive services trust Hue to have already validated the user being impersonated, rather than simply passing on the credentials.

Securing Sessions

When a session expires, the screen blurs and the user is automatically logged out of the Hue Web UI. Logging on returns the user to same location.

Session Timeout

User sessions are controlled with the ttl (time-to-live) property under [desktop]> [[session]] in hue.ini. After n seconds, the session expires whether active or not.

ttl

The cookie with the users session ID expires after n seconds.

Default: ttl=1209600 which is 60*60*24*14 seconds or 2 weeks

Idle Session Timeout

Idle sessions are controlled with the idle_session_timeout property under [desktop] > [[auth]] in hue.ini. Sessions that are idle for n seconds, expire. You can disable this property by setting it to a negative value.

idle_session_timeout

The cookie with the users session ID expires after idle for n seconds. Set to a negative value to prevent idle sessions from timing out. For example:

idle_session_timeout=900 means that sessions expire after being idle for 15 minutes

idle_session_timeout=-1 means that idle sessions do not expire (until ttl)

Secure Cookies

Secure session cookies can be enabled by specifying the secure configuration property under the [desktop]> [[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.

secure

The cookie with the user session ID is secure. Should only be enabled with HTTPS.

Default: false

http-only

The cookie with the user session ID session ID uses the HTTP only flag.

Default: false

expire_at_browser_close

Use session-length cookies. Logs out the user when the browser window is closed.

Default: false

Allowed HTTP Methods

You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.

http_allowed_methods

Default: options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.

ssl_cipher_list

Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL Redirect Whitelist

Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.

redirect_whitelist For example, to restrict users to your local domain and FQDN, the following value can be used: ^\/.*$,^http:\/\/www.mydomain.com\/.*$

Oozie Permissions

Access to the Oozie dashboard and editor can be individually controlled in the Hue Web UI under User Admin > Groups.
Groups Property in UI Description
oozie.dashboard_jobs_access Enable Oozie Dashboard read-only access for all jobs.

Default: true

oozie.disable_editor_access Disable Oozie Editor access.

Default: false