Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Authentication for access to the HDFS, MapReduce, and YARN roles' web consoles can be enabled using a configuration option for the appropriate service. To enable this authentication:
  1. From the Clusters tab, select the service (HDFS, MapReduce, or YARN) for which you want to enable authentication.
  2. Click the Configuration tab.
  3. Select Scope > service name Service-Wide.
  4. Select Category > Security.
  5. Type Enable Kerberos in the Search box.
  6. Select Enable Kerberos Authentication for HTTP Web-Consoles.
  7. Enter a Reason for change, and then click Save Changes to commit the changes.
  8. When the command finishes, restart all roles of that service.

Enabling SPNEGO as an Authentication Backend for Hue

  1. In Cloudera Manager, set the authentication backend to SpnegoDjangoBackend.
    1. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    2. Click the Configuration tab.
    3. Select Scope > Service-Wide.
    4. Select Category > Security.
    5. Locate the Authentication Backend property and select desktop.auth.backend.SpnegoDjangoBackend.
    6. Click Save Changes.
  2. Restart the Hue service.
  3. If you are using an external load balancer, perform the following steps, otherwise skip the remaining steps. Cloudera Manager creates these configuration automatically:
    1. On the host running the Hue Kerberos Ticket Renewer, switch to the KT_RENEWER process directory. For example:
      cd /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/    \
      | awk '{print $9}' |grep KT_RENEWER| tail -1`/
    2. Verify that the Hue keytab includes the HTTP principal.
      klist -kte ./hue.keytab
      
      Keytab name: FILE:./hue.keytab
      KVNO Timestamp Principal
      ---- ----------------- --------------------------------------------------------
      1 03/09/15 20:20:35 hue/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
      1 03/09/15 20:20:36 HTTP/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
    3. Copy the hue.keytab file to /var/lib/hue and change ownership to the hue user and group.
      $ cp ./hue.keytab /var/lib/hue/
      $ chown hue:hue /var/lib/hue/hue.keytab
    4. Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
    5. Click the Configuration tab.
    6. Select Scope > Service-Wide.
    7. Select Category > Advanced.
    8. Locate the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property and add the following line:
      KRB5_KTNAME=/var/lib/hue/hue.keytab
    9. Enter a Reason for change, and then click Save Changes to commit the changes.
    10. Restart the Hue service.