Authenticating Hue users with Knox SSO

You can use the Apache Knox Gateway to interact with Hue REST APIs and the Hue user interface, along with other CDP components and services. To set up Knox Single Sign-on (SSO) to authenticate users, you must configure the KnoxSpnegoDjangoBackend property using Cloudera Manager.

To authenticate users using Knox SSO, you must have Knox installed on your CDP cluster, also known as a secure cluster.

  1. Sign in to Cloudera Manager as an Administrator.
  2. Go to Clusters > Hue service > Configurations and search for the Authentication Backend field.
  3. Select desktop.auth.backend.KnoxSpnegoDjangoBackend from the dropdown.
  4. Go to Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini) and comment or remove any SAML-specific configurations, if present.
  5. Click Save Changes.
  6. Go to Clusters > $Knox service > Instances and note down the hostnames of the Knox Gateways.
    You must provide these details in the next step.
    If you have set up Knox in High-Availablity (HA) mode, then you can see more than one Knox Gateways listed on the Instances tab.
  7. Go back to Clusters > Hue service > Configurations and search for the Knox Proxy Hosts field.
  8. Enter the hostname of the Knox Gateway that you noted earlier.
    If you have set up Knox HA, then click + to add another hostname.
  9. If you have deployed a Hue Load Balancer, then you must specify the Load Balancer hostname in the Knox Proxy Hosts field by clicking +.
  10. Click Save Changes.
    You would see the following warning:
    Role is missing Kerberos keytab. Go to the Kerberos Credentials page and click the Generate Missing Credentials button.
  11. Click Administration on the Cloudera Manager left navigation panel and select Security.
  12. Go to the Kerberos Credentials tab and click Generate Missing Credentials.


    A pop-up showing the status is displayed.


  13. Go to Clusters > Hue service and click Restart next to Actions.


  14. On the Stale Configurations page, click Restart Stale Services.
    The Restart Stale Services wizard is displayed.
  15. On the Review Changes page, select Redeploy client configuration, and click Restart Now.
    The Command Details page shows the live status as the service restarts.
    When all the steps are complete, click Finish.
  16. From the Hue service page, click Web UI > Knox Gateway UI.


    The Knox Gateway UI is displayed.
  17. On the General Proxy Information page, expand the CDP Proxy topology by clicking + cdp-proxy under Topologies.
    The list of services that are configured with the cdp-proxy topology is displayed.
  18. Click on the Hue logo.


    You should be able to log in to the Hue web UI.
    You can also log into Hue using the following URL:
    https://[***HOSTNAME***]:[***PORT***]/gateway/cdp-proxy/hue/
  19. Go to Clusters > Knox > Configuration and add the following entries in the Knox Simplified Topology Management - cdp-proxy-api field:
    HUE:httpclient.socketTimeout=[***TIMEOUT-IN-MINUTES***]
    HUE:httpclient.connectionTimeout=[***TIMEOUT-IN-MINUTES***]
    Replace [***TIMEOUT-IN-MINUTES***] with the actual timeout value depending on the load on your load on the cluster or environment. For example, 20 minutes.
  20. Restart the Knox service.