User management in Cloudera Data Explorer (Hue)

Data Explorer is a gateway to Cloudera cluster services and both have completely separate permissions. Being a Data Explorer superuser does not grant access to HDFS, Hive, and so on.

Users who log on to the Data Explorer UI must have permission to use Data Explorer and to each Cloudera service accessible within Data Explorer.

A common configuration is for Hue users to be authenticated with an LDAP server and Cloudera users with Kerberos. These users can differ. For example, Cloudera services do not authenticate each user who logs on to Data Explorer. Rather, they authenticate Hue and trust that Data Explorer has authenticated its users.

Once Data Explorer is authenticated by a service such as Hive, Data Explorer impersonates the user requesting use of that service. For example, to create a Hive table. The service uses Apache Ranger to ensure the group to which that user belongs is authorized for that action.

Data Explorer user permissions are at the application level only. For example, a Data Explorer superuser can filter Data Explorer user access to a Cloudera service but cannot authorize the use of its features. Again, Ranger does that.