Configure Hue to use Kerberos

Enabling the Kerberos Ticket Renewer Service

The Kerberos Ticket Renewer service (kt_renewer) renews tickets for the Hue service. Hue automatically starts the kt_renewer process on clusters that use Kerberos for authentication. Kerberos tickets have a default expiration time of 7 days. The kt_renewer service extracts the Kerberos ticket from the keytab file and renews the ticket before it expires.

You can access the kt_renewer process log files in the following locations:

${HUE_HOME}/logs/kt_renewer.out
${HUE_HOME}/logs/kt_renewer.log

To use the Kerberos Ticket Renewer service:

Enable the Kerberos Ticket Renewer Service:
- In the kdc.conf file, add the max_renewable_life parameter.
- In the krb5.conf file, add the renew_lifetime parameter.

Update the hue.ini file to include the Kerberos credentials cache path (ccache_path) and ticket renewal frequency (keytab_reinit_frequency), as shown in the following example:

[desktop]
               [[kerberos]]
                 …   
                 # Path to keep Kerberos credentials cached
                 # ccache_path=/tmp/custom_hue_krb5_ccache         
                 # Frequency in seconds with which Hue will renew its keytab
                 # keytab_reinit_frequency=86400             
                 …

Modifying the hue.ini File

In the kerberos section of the hue.ini file, make the following changes:

Supply the path to Hue's Kerberos keytab file.
Supply the Kerberos principal name for Hue.
Supply the path to kinit.
In the [[yarn_clusters]] [[[default]]] section:
- If you are using a certificate signed by the CA (Certificate Authority), set the ssl_cert_ca_verify value to True.
- If you are using a self-signed certificate or no certificate, leave the value set to False.
For Hue with secure Hive: In the beeswax section, make sure that the hive_conf_dir property points to a directory containing a valid hive-site.xml file (either the original or a synced copy).
Optional: To enable SSL encryption, see Enable SSL Encryption Between Hue and Hive.
Make sure that you specified a fully-qualified domain name (FQDN) for all services integrated with Hue that uses Kerberos:

HttpFS: Set the webhdfs_url property in the [hadoop] [[hdfs_clusters]] [[[default]]] section.

HiveServer2: Set the hive_server_host property in the [beeswax] section.

Impala: Set the server_host property in the [impala] section.

Spark: Set the livy_server_url property in the [impala] section.
NOTE
Support for Kerberos integration with Livy was introduced in Hue 4.X.

HBase: Set the hbase_clusters property in the [hbase] section.

Drill: Refer to section.

The changes are summarized in the following hue.ini files, which you can use as a template:

[desktop]
   [[kerberos]]
     # Path to Hue's Kerberos keytab file
     hue_keytab=/opt/mapr/conf/mapr.keytab
            
     # Kerberos principal name for Hue
     # hue_principal=mapr/<hostname>@<realm>
     # Substitute your hostname and realm in the example below
     hue_principal=mapr/perfnode181.perf.lab@dev-maprtech  

     # Path to keep Kerberos credentials cached
     # ccache_path=/tmp/custom_hue_krb5_ccache         
     # Frequency in seconds with which Hue will renew its keytab
     # keytab_reinit_frequency=86400
               
     # Path to kinit
     # Note that the actual path depends on which Linux OS you are using
     kinit_path=/usr/bin/kinit
               
[beeswax]
  # If Kerberos security is enabled, use fully-qualified domain name
  # (FQDN)
  hive_server_host=<FQDN of Hive Server>
  # Hive configuration directory, where hive-site.xml is located.
  hive_conf_dir=/opt/mapr/hive/hive-<version>/conf
  # Change this if your Hive is secured
  security_enabled=true
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
                     
[impala]
  # Host of the Impala Server (one of the Impalad)
  server_host=<FQDN of Impalad>
  # Kerberos principal
  impala_principal=mapr/perfnode181.perf.lab@dev-maprtech
                        
[hadoop]
  ...
  [[hdfs_clusters]]
     [[[default]]]
  # Enter the filesystem uri
  fs_defaultfs=maprfs:///
                        
  # Use WebHdfs/HttpFs as the communication mechanism.
  # Domain should be the NameNode or HttpFs host.
  # Default port is 14000 for HttpFs.
  webhdfs_url=https://<FQDN of HttpFS>:14000/webhdfs/v1
                           
  # Change this if your HDFS cluster is secured
  security_enabled=True
                           
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
  ...
[[yarn_clusters]]
  [[[default]]]
  # Enter the host on which you are running the ResourceManager
  ## resourcemanager_host=localhost
                           
  # The port where the ResourceManager IPC listens on
  ## resourcemanager_port=8032
                           
  # Whether to submit jobs to this cluster
  submit_to=true
                           
  # Change this if your YARN cluster is secured
  security_enabled=true
                           
  # URL of the ResourceManager API
  ## resourcemanager_api_url=https://localhost:8090
                           
  # URL of the ProxyServer API
  ## proxy_api_url=https://localhost:8090
                           
  # URL of the HistoryServer API
  history_server_api_url=https://localhost:19890
                           
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI
                           
  # In secure mode (HTTPS), if SSL certificates from Resource Manager's
  # Rest Server have to be verified against certificate authority
  ssl_cert_ca_verify=False
                           
[spark]
  # The Livy Server URL.
  livy_server_url=https://<FQDN of Livy Server>:8998
                              
  # Whether Livy requires client to perform Kerberos authentication.
  security_enabled=True
                              
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
  mechanism=GSSAPI
                              
[liboozie]
  # The URL where the Oozie service runs on. This is required in order for
  # users to submit jobs.
  oozie_url=https://<FQDN of Oozie>:<oozie_port_number>/oozie
                                 
  # Requires FQDN in oozie_url if enabled
  security_enabled=true
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
 mechanism=GSSAPI
                                 
[hbase]
  # Comma-separated list of HBase Thrift servers for clusters in the format of '(name|host:port)'.
  # Use full hostname with security.
  # If using Kerberos we assume GSSAPI SASL, not PLAIN.
  hbase_clusters=(Cluster|<FQDN of Hbase Thrift Server>:9090)
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=GSSAPI

NOTE

You need to manually set security_enabled property to true and mechanism property to GSSAPI for a Kerberised environment. These options are automatically configured only on a data-fabric-SASL cluster.

Modifying the core-site.xml File

In the core-site.xml file, provide the shortname for the Kerberos principal as shown. In addition, verify that you configured the proxyuser during configuration. See Configure Hue for details.

<!-- Hue security configuration -->
<property>
  <name>hue.kerberos.principal.shortname</name>
  <value>mapr</value>
</property>
<property>
  <name>hadoop.proxyuser.mapr.groups</name>
  <value>*</value> <!-- A group that all users of Hue belong to, or the wildcard value "*" -->
</property>
<property>
  <name>hadoop.proxyuser.mapr.hosts</name>
  <value><hue_server_FQDN></value>
</property>

Restarting Warden and Hue

After you make all the changes to the files listed above, restart Warden and Hue so the changes will take effect.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0