User management in Hue

Hue is a gateway to CDP cluster services and both have completely separate permissions. Being a Hue Superuser does not grant access to HDFS, Hive, and so on. Hue and the underlying cluster services have completely separate permissions.

Users who log on to the Hue UI must have permission to use Hue and to each CDP service accessible within Hue.

A common configuration is for Hue users to be authenticated with an LDAP server and CDP users with Kerberos. These users can differ. For example, CDP services do not authenticate each user who logs on to Hue. Rather, they authenticate Hue and trust that Hue has authenticated its users.

Once Hue is authenticated by a service such as Hive, Hue impersonates the user requesting use of that service. For example, to create a Hive table. The service uses Apache Ranger to ensure the group to which that user belongs is authorized for that action.

Hue user permissions are at the application level only. For example, a Hue superuser can filter Hue user access to a CDP service but cannot authorize the use of its features. Again, Ranger does that.