Configure Hue to use Kerberos

After you set up a Kerberos principal and keytab file, you can configure Hue to use the Kerberos authentication protocol.

After you set up a Kerberos principal and keytab file, enable the Kerberos Ticket Renewal service, update hue.ini and core-site.xml with the required parameters, and restart the Warden and Hue services.

Enabling the Kerberos Ticket Renewer Service

The Kerberos Ticket Renewer service (kt_renewer) renews tickets for the Hue service. Hue automatically starts the kt_renewer process on clusters that use Kerberos for authentication. Kerberos tickets have a default expiration time of 7 days. The kt_renewer service extracts the Kerberos ticket from the keytab file and renews the ticket before it expires.

You can access the kt_renewer process log files in the following locations:
  • ${HUE_HOME}/logs/kt_renewer.out
  • ${HUE_HOME}/logs/kt_renewer.log
To use the Kerberos Ticket Renewer service:
  1. Enable the Kerberos Ticket Renewer Service:
    • In the kdc.conf file, add the max_renewable_life parameter.
    • In the krb5.conf file, add the renew_lifetime parameter.
  2. Update the hue.ini file to include the Kerberos credentials cache path (ccache_path) and ticket renewal frequency (keytab_reinit_frequency), as shown in the following example:
    [desktop]
                   [[kerberos]]
                     …   
                     # Path to keep Kerberos credentials cached
                     # ccache_path=/tmp/custom_hue_krb5_ccache         
                     # Frequency in seconds with which Hue will renew its keytab
                     # keytab_reinit_frequency=86400             
                     …
    

Modifying the hue.ini File

In the kerberos section of the hue.ini file, make the following changes:

  1. Supply the path to Hue's Kerberos keytab file.
  2. Supply the Kerberos principal name for Hue.
  3. Supply the path to kinit.
  4. In the [[yarn_clusters]] [[[default]]] section:
    • If you are using a certificate signed by the CA (Certificate Authority), set the ssl_cert_ca_verify value to True.
    • If you are using a self-signed certificate or no certificate, leave the value set to False.
  5. For Hue with secure Hive: In the beeswax section, make sure that the hive_conf_dir property points to a directory containing a valid hive-site.xml file (either the original or a synced copy).
  6. Optional: To enable SSL encryption, see Enable SSL Encryption Between Hue and Hive.

  7. Make sure that you specified a fully-qualified domain name (FQDN) for all services integrated with Hue that uses Kerberos:

    HttpFS: Set the webhdfs_url property in the [hadoop] [[hdfs_clusters]] [[[default]]] section.

    HiveServer2: Set the hive_server_host property in the [beeswax] section.

    Impala: Set the server_host property in the [impala] section.

    Spark: Set the livy_server_url property in the [impala] section.
    NOTE
    Support for Kerberos integration with Livy was introduced in Hue 4.X.

    HBase: Set the hbase_clusters property in the [hbase] section.

    Drill: Refer to section.

The changes are summarized in the following hue.ini files, which you can use as a template:

[desktop]
   [[kerberos]]
     # Path to Hue's Kerberos keytab file
     hue_keytab=/opt/mapr/conf/mapr.keytab
            
     # Kerberos principal name for Hue
     # hue_principal=mapr/<hostname>@<realm>
     # Substitute your hostname and realm in the example below
     hue_principal=mapr/perfnode181.perf.lab@dev-maprtech  

     # Path to keep Kerberos credentials cached
     # ccache_path=/tmp/custom_hue_krb5_ccache         
     # Frequency in seconds with which Hue will renew its keytab
     # keytab_reinit_frequency=86400
               
     # Path to kinit
     # Note that the actual path depends on which Linux OS you are using
     kinit_path=/usr/bin/kinit
               
[beeswax]
  # If Kerberos security is enabled, use fully-qualified domain name
  # (FQDN)
  hive_server_host=<FQDN of Hive Server>
  # Hive configuration directory, where hive-site.xml is located.
  hive_conf_dir=/opt/mapr/hive/hive-<version>/conf
  # Change this if your Hive is secured
  security_enabled=true
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
                     
[impala]
  # Host of the Impala Server (one of the Impalad)
  server_host=<FQDN of Impalad>
  # Kerberos principal
  impala_principal=mapr/perfnode181.perf.lab@dev-maprtech
                        
[hadoop]
  ...
  [[hdfs_clusters]]
     [[[default]]]
  # Enter the filesystem uri
  fs_defaultfs=maprfs:///
                        
  # Use WebHdfs/HttpFs as the communication mechanism.
  # Domain should be the NameNode or HttpFs host.
  # Default port is 14000 for HttpFs.
  webhdfs_url=https://<FQDN of HttpFS>:14000/webhdfs/v1
                           
  # Change this if your HDFS cluster is secured
  security_enabled=True
                           
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
  ...
[[yarn_clusters]]
  [[[default]]]
  # Enter the host on which you are running the ResourceManager
  ## resourcemanager_host=localhost
                           
  # The port where the ResourceManager IPC listens on
  ## resourcemanager_port=8032
                           
  # Whether to submit jobs to this cluster
  submit_to=true
                           
  # Change this if your YARN cluster is secured
  security_enabled=true
                           
  # URL of the ResourceManager API
  ## resourcemanager_api_url=https://localhost:8090
                           
  # URL of the ProxyServer API
  ## proxy_api_url=https://localhost:8090
                           
  # URL of the HistoryServer API
  history_server_api_url=https://localhost:19890
                           
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
                           
  # In secure mode (HTTPS), if SSL certificates from Resource Manager's
  # Rest Server have to be verified against certificate authority
  ssl_cert_ca_verify=False
                           
[spark]
  # The Livy Server URL.
  livy_server_url=https://<FQDN of Livy Server>:8998
                              
  # Whether Livy requires client to perform Kerberos authentication.
  security_enabled=True
                              
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
  mechanism=GSSAPI
                              
[liboozie]
  # The URL where the Oozie service runs on. This is required in order for
  # users to submit jobs.
  oozie_url=https://<FQDN of Oozie>:<oozie_port_number>/oozie
                                 
  # Requires FQDN in oozie_url if enabled
  security_enabled=true
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
 mechanism=GSSAPI
                                 
[hbase]
  # Comma-separated list of HBase Thrift servers for clusters in the format of '(name|host:port)'.
  # Use full hostname with security.
  # If using Kerberos we assume GSSAPI SASL, not PLAIN.
  hbase_clusters=(Cluster|<FQDN of Hbase Thrift Server>:9090)
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
NOTE
You need to manually set security_enabled property to true and mechanism property to GSSAPI for a Kerberised environment. These options are automatically configured only on a data-fabric-SASL cluster.

Modifying the core-site.xml File

In the core-site.xml file, provide the shortname for the Kerberos principal as shown. In addition, verify that you configured the proxyuser during configuration. See Configure Hue for details.

<!-- Hue security configuration -->
<property>
  <name>hue.kerberos.principal.shortname</name>
  <value>mapr</value>
</property>
<property>
  <name>hadoop.proxyuser.mapr.groups</name>
  <value>*</value> <!-- A group that all users of Hue belong to, or the wildcard value "*" -->
</property>
<property>
  <name>hadoop.proxyuser.mapr.hosts</name>
  <value><hue_server_FQDN></value>
</property>

Restarting Warden and Hue

After you make all the changes to the files listed above, restart Warden and Hue so the changes will take effect.