Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
For Hue to work properly with a secure Kerberos cluster deployed with Cloudera Manager, you must add the Kerberos Ticket Renewer to the Hue service. You can do so in Cloudera Manager by adding a Kerberos Ticket Renewer role instance on each host with a Hue Server role.
The Hue Kerberos Ticket Renewer only renews tickets for the Hue service principal, hue/<hostname>@<YOUR-REALM.COM>. The Hue principal impersonates other users for applications within Hue such as the Job Browser, File Browser and so on.
Core Hadoop services such as HDFS and MapReduce do not use the Hue Kerberos Ticket Renewer. They obtain tickets at startup and use those tickets to obtain Delegation Tokens for variou access privileges. Each service handles its own ticket renewal as needed.
- Go to the Hue service.
- Click the Instances tab.
- Click the Add Role Instances button.
- Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.
When the wizard status is Finished, the Kerberos Ticket Renewer role instance is configured. The Hue service now works with the secure Hadoop cluster.
- Repeat these steps for each Hue Server role.
Troubleshooting the Kerberos Ticket Renewer:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM