Enabling Hue Applications Using Cloudera Manager

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Most Hue applications are configured by default, based on the services you have installed. Cloudera Manager selects the service instance that Hue depends on. If you have more than one service, you may want to verify or change the service dependency for Hue. Also, if you add a service such as Sqoop or Oozie after you have set up Hue, you need to set the dependency because it is not done automatically. To add a dependency:
  1. Go to the Hue service and click the Configuration tab.
  2. Filter by Scope > Hue (Service-Wide) and Category > Main.
  3. Select each service name Service property to set the dependency. Select none to remove the dependency.
  4. Enter a Reason for change, and then click Save Changes to commit the changes.
  5. Restart the Hue service.

Enabling the HBase Browser Application with doAs Impersonation

Minimum Required Role: Full Administrator

The Hue HBase application communicates through the proxy, HBase Thrift Server, which forwards commands to HBase. Because Hue stands between the Thrift server and the user, all HBase operations appear to come from the Hue user and not the actual user who is logged on. In a Keberos cluster, you can enable impersonation so that operations appear to come from the actual user.

  1. Logon to Cloudera Manager.
  2. Add the HBase Thrift Server role:
    1. Go to the HBase service and click the Instances tab.
    2. Click the button, Add Role Instances.
    3. Click Select hosts under HBase Thrift Server.
    4. Click anywhere in host row to add the purple icon, "HBTS," under Existing Roles.
    5. Click OK and Continue.
    6. Check the box by your new HBase Thrift Server and select Actions for Selected > Start.
  3. If you have a Kerberos cluster, enable impersonation. If your cluster does not have Kerberos or TLS enabled, skip to step 6..
    1. Click the HBase Configuration tab.
    2. Filter by Scope > Service-Wide and Category > Security.
    3. Set the property, HBase Thrift Authentication (hbase.thrift.security.qop), to one of the following values:
      • auth-conf: authentication, integrity and confidentiality checking
      • auth-int: authentication and integrity checking
      • auth: authentication only
    4. Filter by Scope > Service-Wide and Category > Main.
    5. Check the Service-Wide box for Enable HBase Thrift Http Server (hbase.regionserver.thrift.http) and Enable HBase Thrift Proxy Users (hbase.thrift.support.proxyuser).
    6. Click Save Changes.
  4. If you have a Kerberos cluster with doAs and force principal names to lower case, be sure to exclude the HTTP principal:
    1. Go to the HDFS service.
    2. Filter by Scope > HDFS (Service-Wide) and Category > Security.
    3. Search on Additional Rules to Map Kerberos Principals to Short Names (auth_to_local) and add two HTTP rules above your existing rules:
      # Exclude HTTP
      RULE:[1:$1@$0](HTTP@\QEXAMPLE.COM\E$)s/@\Q.EXAMPLE.COM\E$//
      RULE:[2:$1@$0](HTTP@\QEXAMPLE.COM\E$)s/@\Q.EXAMPLE.COM\E$//
      
      # Force to Lower Case
      RULE:[1:$1@$0](.*@\QEXAMPLE.COM\E$)s/@\Q.EXAMPLE.COM\E$///L
      RULE:[2:$1@$0](.*@\QEXAMPLE.COM\E$)s/@\Q.EXAMPLE.COM\E$///L
    4. Click Save Changes.
    5. Select Actions > Deploy Client Configuration.
    6. Select Cluster > Actions > Rolling Restart, check the boxes for HDFS, HBase, and Hue and click Rolling Restart.
  5. Enable TLS/SSL for the HBase Thrift Server:
    1. Filter by Scope > HBase Thrift Server and Category > Security.
    2. Set the TLS/SSL properties according to your cluster configuration:
      Property Description
      Enable TLS/SSL for HBase Thrift Server over HTTP Encrypt communication between clients and HBase Thrift Server over HTTP using Transport Layer Security (TLS).
      HBase Thrift Server over HTTP TLS/SSL Server JKS Keystore File Location Path to the TLS/SSL keystore file (in JKS format) with the TLS/SSL server certificate and private key. Used when HBase Thrift Server over HTTP acts as a TLS/SSL server.
      HBase Thrift Server over HTTP TLS/SSL Server JKS Keystore File Password Password for the HBase Thrift Server JKS keystore file.
      HBase Thrift Server over HTTP TLS/SSL Server JKS Keystore Key Password Password that protects the private key contained in the JKS keystore used when HBase Thrift Server over HTTP acts as a TLS/SSL server.
    3. Enter a Reason for change, and then click Save Changes to commit the changes.
    4. Restart the HBase service.
  6. Configure Hue to point to the Thrift Server and to a valid HBase configuration directory:
    1. Go to the Hue service and click the Configuration tab.
    2. Filter by Scope > All and Category > Main.
    3. Set the property, HBase Service, to the service for which you enabled the Thrift Server role (if you have more than one HBase service instance).
    4. Set the property, HBase Thrift Server, to the Thrift Server role for Hue to use.
    5. Filter by Category > Advanced.
    6. Edit the property, Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini, by adding a valid HBase configuration directory as follows:
      [hbase]
      hbase_conf_dir={{HBASE_CONF_DIR}}
    7. Enter a Reason for change, and then click Save Changes to commit the changes.