User authentication in Cloudera Data Explorer (Hue)

Cloudera services do not authenticate each user that logs in to Data Explorer. The Cloudera services authenticate Data Explorer and trust that Data Explorer has authenticated its users. In a most typical configuration, Data Explorer users can be authenticated with an LDAP server and the Cloudera users can be authenticated with Kerberos. You can also use SAML for Single Sign-on (SSO) authentication.

After Hue is authenticated by a service such as Hive, Data Explorer impersonates the user requesting the use of that service, for example, to create a Hive table. In this case, the Hive service uses Apache Ranger to ensure that the group to which the user belonged is authorized for that action (to create a Hive table).