Enable Hue to Use Kerberos for Authentication

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

For Hue to work properly with a Cloudera cluster that uses Kerberos for authentication, the Kerberos Ticket Renewer must be added to the Hue service. Use the Cloudera Manager Admin Console to add the Kerberos Ticket Renewer role to each host with a Hue Server role instance.

The Hue Kerberos Ticket Renewer renews only those tickets created for the Hue service principal, hue/hostname@REALM-NAME. The Hue principal impersonates other users for applications within Hue such as the Job Browser, File Browser and so on. Other services, such as HDFS and MapReduce, do not use the Hue Kerberos Ticket Renewer but rather handle ticket renewal as needed using their own mechanisms.

Adding a Kerberos Ticket Renewer role instance in Cloudera Manager:
  1. Go to the Hue service.
  2. Click the Instances tab.
  3. Click the Add Role Instances button.
  4. Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.

    When the wizard status is Finished, the Kerberos Ticket Renewer role instance is configured. The Hue service now works with the secure Hadoop cluster.

  5. Repeat these steps for each Hue Server role.

Troubleshooting the Kerberos Ticket Renewer:

If the Hue Kerberos Ticket Renewer does not start, check the configuration of your Kerberos Key Distribution Center (KDC). Look at the ticket renewal property, maxrenewlife, to ensure that the principals, hue/<hostname> and krbtgt, are renewable. If these principals are not renewable, run the following commands on the KDC to enable them:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM