This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.
Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager
If you are using a Hue service, you must add a role instance of Kerberos Ticket Renewer to the Hue service to enable Hue to work properly with the secure Hadoop cluster using Cloudera Manager.
The Hue Kerberos Ticket Renewer service will only renew tickets for the Hue service, for the principal hue/<hostname>@<YOUR-REALM.COM>. The Hue principal is then used to impersonate other users for applications within Hue such as the Job Browser, File Browser and so on.
Other services, such as HDFS and MapReduce, do not use the Hue Kerberos
Ticket Renewer. They obtain tickets at startup and use those tickets to obtain
Delegation Tokens for various access privileges. Each service handles its own ticket
renewal as needed.
- Go to the Hue service.
- Click the Instances tab.
- Click the Add Role Instances button.
- Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.
- When the wizard is finished, the status will display Finished and the Kerberos Ticket Renewer role instance is configured. The Hue service will now work with the secure Hadoop cluster.
If the Hue Kerberos Ticket Renewer does not start, check your KDC configuration and the
ticket renewal property, maxrenewlife, for the
hue/<hostname> and krbtgt principals to ensure
they are renewable. If not, running the following commands on the KDC will enable
renewable tickets for these
principals.
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM
| << Step 8: Wait for the Generate Credentials Command to Finish | Step 10: (Flume Only) Use Substitution Variables for the Kerberos Principal and Keytab >> | |