Hue User Permissions

Hue is a gateway to CDH cluster services (see Hue Applications) and both have completely separate permissions. Being a Hue superuser means nothing to HDFS, Hive, and so on.

Users who log on to the Hue UI must have permission to use Hue, and also, each CDH service accessible within Hue.

A common configuration is for Hue users to be authenticated with an LDAP server and CDH users with Kerberos. These users can differ. For example, CDH services do not authenticate each user who logs on to Hue. Rather, they authenticate Hue and trust that Hue has authenticated its users.

Once Hue is authenticated by a service (for example, Hive), Hue impersonates the user (doAs) requesting use of that service (for example, to create a table). The service uses Sentry (essentially a chmod tool) to ensure the group to which that user belongs is authorized for that action.

Hue user permissions are at the application level only. For example, a Hue superuser can filter Hue user access to a CDH service but cannot authorize the use of its features. Again, Sentry does that. Learn how to Authorize Hue User Groups with Sentry.

Hue Superusers

The Hue User Admin application provides two levels of privileges: users and superusers.

Users can change their name, email address, and password. They can login to Hue and run Hue applications according to their group permissions.

Superusers can perform administrative functions such as:
  • Add and delete users and groups
  • Import and sync users and groups from an LDAP server
  • Assign group permissions
  • Promote users to superusers and vice versa.

Hue superusers have no special privileges to the underlying CDH cluster services. Sentry is used to add those privileges.

Finding the List of Hue Superusers

You can connect to Hue CLI from any Hue server host and then fetch the list of superusers by using the following two methods:
  • Using the Hue shell and Python code
  • Runing a SQL query on the auth_user table

Using the Hue shell and Python code to find the Hue superusers

  1. Connecting to Hue shell by running the following command:
    /opt/cloudera/parcels/CDH/lib/hue/build/env/bin/hue shell --cm-managed
  2. Enter the Python code as follows:
    from django.contrib.auth.models import User
    print "%s" % User.objects.filter(is_superuser = True)
    Sample output:
    <QuerySet [<User: admin>]>

Runing a SQL query on the auth_user table to find the Hue superusers

  1. Connect to Hue database shell by running the following command:
    /opt/cloudera/parcels/CDH/lib/hue/build/env/bin/hue dbshell --cm-managed
  2. Run the following SQL query:
    select username, is_superuser from auth_user where is_superuser=1;
    Sample output:
    ----------------------+
    
    username
    is_superuser
    ----------------------+
    
    admin
    1
    ----------------------+
    1 row in set (0.00 sec)

Resetting the Default Hue Superuser

The first user that logs into Hue after its initial installation becomes the first superuser. Even if a user does not log into the HUE UI, the first security scan may log in creating the initial user and therefore resulting into unknown username and password.

To reset the password, run the following command as a root user from a Hue server:
/opt/cloudera/parcels/CDH/lib/hue/build/env/bin/hue changepassword <USER-ID> --cm-managed

Resetting Passwords of Hue Users when the Previous Password is Unavailable

Required Role: Hue Superuser

The Hue superuser can reset his own password or help other users to reset their password in case the old password is lost. To reset the password:
  1. Sign in to the Hue server as the root user.
  2. Locate the HUE_CONF_DIR as shown in the following example:
    $ cd /var/run/cloudera-scm-agent/process/
    $ ls -lrt | grep HUE | tail -2
    drwxr-x--x 6 hue hue 200 Jan 5 13:07 612-hue-HUE_SERVER
    drwxr-x--x 6 hue hue 200 Jan 8 15:54 616-hue-HUE_SERVER
  3. Change directory to HUE_CONF_DIR as shown in the following example:
    $ cd 616-hue-HUE_SERVER
  4. Set the environment variable HUE_CONF_DIR as shown in the following example:
    $ export HUE_CONF_DIR=$PWD
    $ echo $HUE_CONF_DIR
    /var/run/cloudera-scm-agent/process/616-hue-HUE_SERVER
  5. To reset the password for an unknown superuser:
    1. Open the Hue shell by running the following command:
      /opt/cloudera/parcels/CDH/lib/hue/build/env/bin/hue shell
    2. Enter the following Python code as shown in the following codeblock:
      from django.contrib.auth.models import User
      print "%s" % User.objects.filter(is_superuser = True)
      The list of users is displayed for the superuser of interest. For example:
      [<User: cconner>, <User: tuser5>]
  6. To reset the password for another user:
    1. Open the Hue shell by running the following command:
      /opt/cloudera/parcels/CDH/lib/hue/build/env/bin/hue shell
    2. Enter the following Python code as shown in the following codeblock:
      from django.contrib.auth.models import User
      user = User.objects.get(username='<username>')
      user.set_password('<password>')
      user.save()

      Replace the <username> and <password> with the actual username and password.

How to Assign Superuser Status to an LDAP User

In a non-secure cluster, the first user to log on to Hue is designated a superuser. In a secure cluster with LDAP, there are three ways to assign superuser status:
  1. With the AllowAllBackend temporarily enabled, assign superuser status and Synchronize One User.
  2. With the LdapBackend enabled, run a Hue shell command to apply superuser status.
  3. Enable multiple backends so that the first user to log on still works when integrated with LDAP.

Hue Applications and Permissions

Hue is a gateway to (and web-based UI for) the following CDH cluster services.

Hue Applications

These CDH services are available in Hue. Currently, Spark is only available upstream.

Hue Applications
Hue App App Dependencies
HBase HBase Browser
HDFS Core, File Browser
Hive Metastore Tables, Hive Editor
Impala Metastore Tables, Impala Editor
MapRed / YARN Job Browser, Job Designer, Oozie, Hive Editor, Pig, Sqoop
Oozie Job Designer, Oozie Editor/Dashboard
Pig Pig Editor, Oozie
Sentry Solr Search
Solr (Search) Hadoop Security
Spark Spark
Sqoop 2 Sqoop Transfer

Hue Permissions

Hue application permissions are composed of name.permission:action.

For example, filebrowser.access:Launch this application(3):
  • Hue application name = filebrowser
  • Permissions = access (as in, execute)
  • Action = Launch this application (the HDFS filebrowser).
  • Process ID in Hue database (3).
Hue Application Permissions
Hue App Permission rwx Action Description
about access --x Launch this application
beeswax access --x Launch this application
dashboard access --x Launch this application
filebrowser access --x Launch this application
filebrowser s3_access --x Access to S3 from filebrowser and filepicker
help access --x Launch this application
impala access --x Launch this application
indexer access --x Launch this application
jobbrowser access --x Launch this application
jobsub access --x Launch this application
metadata access --x Launch this application
metadata write -w- Allow edition of metadata like tags
metastore access --x Launch this application
metastore write -w- Allow DDL operations. Need the app access too
notebook access --x Launch this application
oozie access --x Launch this application
oozie dashboard_jobs_access --x Oozie Dashboard read-only user for all jobs
oozie disable_editor_access --x Disable Oozie Editor access
pig access --x Launch this application
proxy access --x Launch this application
rdbms access --x Launch this application
search access --x Launch this application
security access --x Launch this application
security impersonate   Let a user impersonate another user when listing objects like files or tables
sqoop access --x Launch this application
useradmin access_view:useradmin:edit_user rwx Access to profile page on User Admin
useradmin access_view:useradmin:view_user rwx Access to any profile page on User Admin
useradmin access --x Launch this application