Configuring TLS/SSL for Hue
Hue as a TLS/SSL Client
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
Hue acts as an TLS/SSL client when communicating with Oozie, HBase, Amazon S3, and core Hadoop services. This means Hue may have to authenticate HDFS, MapReduce, YARN daemons, and the HBase Thrift Server, and needs their CA certificates in its truststore.
The Hue truststore is a single PEM file and must contain the CA certificate (the root) of each TLS/SSL-enabled server with which Hue communicates and all intermediate certificates necessary for your system.
Creating a Hue Truststore File in PEM Format
Prerequisite: You must have a Certificate Authority (CA) certificate for each TLS/SSL-enabled server that communicates with Hue. See Obtaining a Production Certificate from a Commercial CA.
Server certificates are stored in JKS format and must be converted. To create the Hue truststore, extract each certificate from its keystore with keytool, convert to PEM format with openssl, and add to the truststore.
- Extract the certificate from the keystore of each TLS/SSL-enabled server with which Hue communicates.
For example, hadoop-server.jks contains server certificate, foo-1.example.com, and password, example123.
keytool -exportcert -keystore hadoop-server.jks -alias foo-1.example.com -storepass example123 -file foo-1.cert
- Convert each certificate into a PEM file.
openssl x509 -inform der -in foo-1.cert > foo-1.pem
- Concatenate all the PEM certificates into one PEM file.
cat foo-1.pem foo-2.pem foo-n.pem ... > hue_trustore.pem
Configuring Hue as a TLS/SSL Client with Cloudera Manager
- Go to the Hue service and click the Configuration tab.
- Filter by and .
- Find the property, Hue TLS/SSL Server CA Certificate (PEM Format), or ssl_cacerts.
- Enter the path to <hue_truststore>.pem on the host running the Hue web server.
- Click Save Changes.
- Select to restart the Hue service.
Hue as a TLS/SSL Server
Hue and other Python-based services expect certificates and keys to be stored in PEM format. You can manage such services with the openssl tool. To configure Hue to use HTTPS, generate a private key and certificate as described in Creating Certificates and reuse a host's existing Java keystore by converting it to the PEM format. See Conversion from Java Keystore to OpenSSL.
Enabling TLS/SSL for the Hue Server with Cloudera Manager
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
- Go to the Hue service and click Configuration.
- Filter by and .
- Edit the following TLS/SSL properties according to your cluster configuration.
Property Description Enable TLS/SSL for Hue
Encrypt communication between clients and Hue with TLS/SSL.
Hue TLS/SSL Server Certificate File (PEM Format)
ssl_certificate
Path to TLS/SSL certificate on host running Hue web server.
Hue TLS/SSL Server Private Key File (PEM Format
ssl_private_key
Path to TLS/SSL private key on host running Hue web server.
Hue TLS/SSL Private Key Password
ssl_password
Password for private key in Hue TLS/SSL Server Certificate and Private Key file.
ssl_password_script=<your_hue_passwords_script.sh>
For more, see Storing Hue Passwords in a Script.If more than one role group applies to this configuration, edit the value for the appropriate role group. See Modifying Configuration Properties Using Cloudera Manager.
- Click Save Changes.
- Select to restart the Hue service.
For more details on configuring Hue with TLS/SSL, see this blog post.
Enabling TLS/SSL for the Hue Server at the Command Line
- Enable secure session cookies in hue.ini under [desktop]>[[session]].
[desktop] [[session]] secure=true
- Edit the following properties in hue.ini under [desktop].
[desktop] ssl_certificate=/path/to/server.cert ssl_private_key=/path/to/server.key ssl_password=<private_key_password>
You can store ssl_password more securely in a script and set this parameter instead:ssl_password_script=<your_hue_passwords_script.sh>
For more, see Storing Hue Passwords in a Script.
Enabling Hue TLS/SSL Communication with HiveServer2
In CDH 5.5.x and higher, HiveServer2 is enabled for TLS/SSL communication by default.
enabled |
Choose to enable/disable TLS/SSL communication for this server. Default: false |
cacerts |
Path to Certificate Authority certificates. Default: /etc/hue/cacerts.pem |
validate |
Choose whether Hue should validate certificates received from the server. Default: true |
Enabling Hue TLS/SSL Communication with Impala
In CDH 5.5.x and higher, Impala is enabled for TLS/SSL communication by default.
enabled |
Choose to enable/disable TLS/SSL communication for this server. Default: false |
cacerts |
Path to Certificate Authority certificates. Default: /etc/hue/cacerts.pem |
validate |
Choose whether Hue should validate certificates received from the server. Default: true |
Securing Database Connections using TLS/SSL
Connections vary depending on the database. Hue uses different clients to communicate with each database internally. Client specific options, such as secure connectivity, can be passed through the interface.
For example, for MySQL you can enable TLS/SSL communication by specifying the options configuration property under the desktop>[[database]] section in hue.ini. Here we identify the Certificate Authority (CA) certificate:
[desktop] [[databases]] … options={"ssl":{"ca":"/tmp/ca-cert.pem"}}
options='{"ssl": {"ca": "/tmp/newcerts2/ca.pem", "key": "/tmp/newcerts2/client-key.pem", "cert": "/tmp/newcerts2/client-cert.pem"}}'
Storing Hue Passwords in a Script
In CDH 5.4, Hue added the ability to store passwords in a secure script and pull passwords from stdout. On startup, Hue runs one or more passwords scripts and grabs each password from stdout.
In hue_ini, add the suffix, _script, to any password property and set it equal to the script name. In Cloudera Manager, set these properties in the configuration field, Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini. For example:
[desktop] ldap_username=hueservice ldap_password_script="/var/lib/hue/<your_hue_passwords_script.sh> ldap_password" ssl_password_script="/var/lib/hue/<your_hue_passwords_script.sh> ssl_password" [[ldap]] bind_password_script="/var/lib/hue/<your_hue_passwords_script.sh> bind_password" [[database]] password_script="/var/lib/hue/<your_hue_passwords_script.sh> database"
Store the script in a directory that only the hue user can read, write, and execute. You can have one script per password or one script with parameters for all passwords. Here is an example of a script with parameters for multiple passwords:
#!/bin/bash SERVICE=$1 if [[ ${SERVICE} == "ldap_password" ]] then echo "password" fi if [[ ${SERVICE} == "ssl_password" ]] then echo "password" fi if [[ ${SERVICE} == "bind_password" ]] then echo "Password1" fi if [[ ${SERVICE} == "database_password" ]] then echo "password" fi