Enabling S3 File Browser for Hue with RAZ in DataHub

Hue offers you the capability to browse S3 buckets, upload files to S3, and create tables by importing files from S3. With RAZ, you can grant fine-grained access to per-user home directories and other directories within the S3 bucket using Ranger policies.

Hue administrators can create home directories for users by selecting the Create home directory option on the user's profile in Hue. If fine-grained authorization is enabled to access S3 buckets, then user home directories are automatically created when a user logs into Hue. You can disable automatic creation of user directories.

  1. Register an AWS environment with the Enable Ranger authorization for AWS S3 option enabled. You can use the CDP web interface or the CDP CLI to complete this task.
  2. Create a Data Hub cluster with Data Engineering or Data Mart cluster template.
  3. Create the following Ranger policies:
    • Hadoop SQL policy (all - database, table, column, all - url).
    • S3 (cm_S3) policy (Default: User Home).

      You must specify the bucket name in the S3 Bucket field and the directory path in the Path field of the cm_S3 Ranger policy.

  4. Grant appropriate permissions to the users in CDP User Management Service (UMS). For example, EnvironmentUser.
  1. Log in to the CDP web interface as an Administrator.
  2. Go to Management Console > Environments, select your environment and go to the Data Lake tab.
  3. Click on the CM URL to open Cloudera Manager.
  4. Go to Clusters > Ranger RAZ service > Instances > RAZ server > Processes and note the value of the fs.s3a.ext.raz.rest.host.url property from the core-site.xml file. You need this to specify the value of the api_url property in the Hue configuration.
  5. Go to Clusters > Hue service > Configuration > Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini and add the following lines:
    [desktop]
    app_blacklist=spark,zookeeper,hbase,impala,search,sqoop,security,pig
    [[raz]]
    is_enabled=true
    api_url=[***fs.s3a.ext.raz.rest.host.url***]
    [aws]
    has_iam_detection=false
    
    [[aws_accounts]]
    [[[default]]]
    region=[***AWS-REGION***]
    host=s3.[***AWS-REGION***].amazonaws.com
    allow_environment_credentials=false
    
    [filebrowser]
    remote_storage_home=s3a://[***S3-BUCKET-NAME***]/user
    (RAZ-HA) You can specify a comma-separated list of URLs in the api_url property. For example:
    api_url=https://[***INSTANCE-1***]:6082/,https://[***INSTANCE-2***]:6082/
  6. Click Save Changes.
  7. Restart the Hue service.
S3 File Browser icon is added to the left assist pane on the Hue web interface. When you click on the S3 File Browser icon, you are redirected to your user home directory.