Configure Hue to use Kerberos
After you set up a Kerberos principal and keytab file, you can configure Hue to use the Kerberos authentication protocol.
After you set up a Kerberos principal and keytab file, enable the Kerberos Ticket Renewal
service, update hue.ini
and core-site.xml
with the
required parameters, and restart the Warden and Hue services.
Enabling the Kerberos Ticket Renewer Service
The Kerberos Ticket Renewer service (kt_renewer) renews tickets for the Hue service. Hue automatically starts the kt_renewer process on clusters that use Kerberos for authentication. Kerberos tickets have a default expiration time of 7 days. The kt_renewer service extracts the Kerberos ticket from the keytab file and renews the ticket before it expires.
${HUE_HOME}/logs/kt_renewer.out
${HUE_HOME}/logs/kt_renewer.log
- Enable the Kerberos Ticket Renewer Service:
- In the
kdc.conf
file, add themax_renewable_life
parameter. - In the
krb5.conf
file, add therenew_lifetime
parameter.
- In the
- Update the
hue.ini
file to include the Kerberos credentials cache path (ccache_path
) and ticket renewal frequency (keytab_reinit_frequency
), as shown in the following example:[desktop] [[kerberos]] … # Path to keep Kerberos credentials cached # ccache_path=/tmp/custom_hue_krb5_ccache # Frequency in seconds with which Hue will renew its keytab # keytab_reinit_frequency=86400 …
Modifying the hue.ini File
In the kerberos
section of
the hue.ini
file, make the following
changes:
- Supply the path to Hue's Kerberos keytab file.
- Supply the Kerberos principal name for Hue.
- Supply the path to kinit.
- In the
[[yarn_clusters]] [[[default]]]
section:- If you are using a certificate signed by the CA (Certificate Authority), set
the
ssl_cert_ca_verify
value toTrue
. - If you are using a self-signed certificate or no certificate, leave the value
set to
False
.
- If you are using a certificate signed by the CA (Certificate Authority), set
the
-
For Hue with secure Hive: In
the
beeswax
section, make sure that thehive_conf_dir
property points to a directory containing a validhive-site.xml
file (either the original or a synced copy). -
Optional: To enable SSL encryption, see Enable SSL Encryption Between Hue and Hive.
-
Make sure that you specified a fully-qualified domain name (FQDN) for all services integrated with Hue that uses Kerberos:
HttpFS: Set the
webhdfs_url
property in the[hadoop] [[hdfs_clusters]] [[[default]]]
section.HiveServer2: Set the
hive_server_host
property in the[beeswax]
section.Impala: Set the
server_host
property in the[impala]
section.Spark: Set thelivy_server_url
property in the[impala]
section.NOTESupport for Kerberos integration with Livy was introduced in Hue 4.X.HBase: Set the
hbase_clusters
property in the[hbase]
section.Drill: Refer to section.
The changes are summarized in the
following hue.ini
files, which you can use
as a template:
[desktop]
[[kerberos]]
# Path to Hue's Kerberos keytab file
hue_keytab=/opt/mapr/conf/mapr.keytab
# Kerberos principal name for Hue
# hue_principal=mapr/<hostname>@<realm>
# Substitute your hostname and realm in the example below
hue_principal=mapr/perfnode181.perf.lab@dev-maprtech
# Path to keep Kerberos credentials cached
# ccache_path=/tmp/custom_hue_krb5_ccache
# Frequency in seconds with which Hue will renew its keytab
# keytab_reinit_frequency=86400
# Path to kinit
# Note that the actual path depends on which Linux OS you are using
kinit_path=/usr/bin/kinit
[beeswax]
# If Kerberos security is enabled, use fully-qualified domain name
# (FQDN)
hive_server_host=<FQDN of Hive Server>
# Hive configuration directory, where hive-site.xml is located.
hive_conf_dir=/opt/mapr/hive/hive-<version>/conf
# Change this if your Hive is secured
security_enabled=true
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=GSSAPI
[impala]
# Host of the Impala Server (one of the Impalad)
server_host=<FQDN of Impalad>
# Kerberos principal
impala_principal=mapr/perfnode181.perf.lab@dev-maprtech
[hadoop]
...
[[hdfs_clusters]]
[[[default]]]
# Enter the filesystem uri
fs_defaultfs=maprfs:///
# Use WebHdfs/HttpFs as the communication mechanism.
# Domain should be the NameNode or HttpFs host.
# Default port is 14000 for HttpFs.
webhdfs_url=https://<FQDN of HttpFS>:14000/webhdfs/v1
# Change this if your HDFS cluster is secured
security_enabled=True
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=GSSAPI
...
[[yarn_clusters]]
[[[default]]]
# Enter the host on which you are running the ResourceManager
## resourcemanager_host=localhost
# The port where the ResourceManager IPC listens on
## resourcemanager_port=8032
# Whether to submit jobs to this cluster
submit_to=true
# Change this if your YARN cluster is secured
security_enabled=true
# URL of the ResourceManager API
## resourcemanager_api_url=https://localhost:8090
# URL of the ProxyServer API
## proxy_api_url=https://localhost:8090
# URL of the HistoryServer API
history_server_api_url=https://localhost:19890
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=GSSAPI
# In secure mode (HTTPS), if SSL certificates from Resource Manager's
# Rest Server have to be verified against certificate authority
ssl_cert_ca_verify=False
[spark]
# The Livy Server URL.
livy_server_url=https://<FQDN of Livy Server>:8998
# Whether Livy requires client to perform Kerberos authentication.
security_enabled=True
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
mechanism=GSSAPI
[liboozie]
# The URL where the Oozie service runs on. This is required in order for
# users to submit jobs.
oozie_url=https://<FQDN of Oozie>:<oozie_port_number>/oozie
# Requires FQDN in oozie_url if enabled
security_enabled=true
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=GSSAPI
[hbase]
# Comma-separated list of HBase Thrift servers for clusters in the format of '(name|host:port)'.
# Use full hostname with security.
# If using Kerberos we assume GSSAPI SASL, not PLAIN.
hbase_clusters=(Cluster|<FQDN of Hbase Thrift Server>:9090)
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=GSSAPI
security_enabled
property to
true
and mechanism
property to
GSSAPI
for a Kerberised environment. These options are automatically
configured only on a data-fabric-SASL cluster.Modifying the core-site.xml File
In the core-site.xml
file, provide the shortname for the Kerberos
principal as shown. In addition, verify that you configured the proxyuser during
configuration. See Configure Hue
for details.
<!-- Hue security configuration -->
<property>
<name>hue.kerberos.principal.shortname</name>
<value>mapr</value>
</property>
<property>
<name>hadoop.proxyuser.mapr.groups</name>
<value>*</value> <!-- A group that all users of Hue belong to, or the wildcard value "*" -->
</property>
<property>
<name>hadoop.proxyuser.mapr.hosts</name>
<value><hue_server_FQDN></value>
</property>
Restarting Warden and Hue
After you make all the changes to the files listed above, restart Warden and Hue so the changes will take effect.