Enable SSL Encryption Between Hue and HttpFS

About this task

As of HttpFS 1.0-1504 and Hue 3.7-1505, you can enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure cluster that is version 4.0.2 or greater.

Complete the following steps to enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure cluster:

Procedure

Configure HttpFS to use SSL or verify that HttpFS is configured to use SSL. For details, see SSL Security for HttpFS.

Set the webhdfs_url property in the [hadoop] [[hdfs_clusters]] [[[default]]] section of the hue.ini file to contain the correct URL for HttpFS with the HTTPS schema and domain of the HttpFS server:

[hadoop]
  [[hdfs_clusters]]
    [[[default]]]
      # Use WebHdfs/HttpFs as the communication mechanism.
      # Domain should be the NameNode or HttpFs host.
      # Default port is 14000 for HttpFs.
      webhdfs_url=https://node1.cluster.com:14000/webhdfs/v1

You can enable or disable Hue verification of service certificates by configuring ssl_cacerts and ssl_validate properties in the [desktop] section of the hue.ini file.

Example for enabling certificate verification:

[desktop]
   ...
              
  # Path to default Certificate Authority certificates. As example: /path/to/cacert.pem
  ssl_cacerts=/opt/mapr/conf/ssl_truststore.pem
              
  # Choose whether Hue should validate certificates received from the server.
  ssl_validate=true

Example for disabling certificate verification:

[desktop]
   ...
              
  # Path to default Certificate Authority certificates. As example: /path/to/cacert.pem
  # ssl_cacerts=
              
  # Choose whether Hue should validate certificates received from the server.
  ssl_validate=false

[OPTIONAL] Configure mutual authentication between Hue and HttpFS. Add the following configuration in the hue.ini file under the [hadoop] [[hdfs_clusters]] [[[default]]] section.

```
mutual_ssl_auth=True
```
```
ssl_cert=/path/to/certificate.pem
```
```
ssl_key=/path/to/private_key.pem
```

Use absolute paths for ssl_cert and ssl_key. Hue does not support private keys with a passphrase in this step.

The changes are summarized in the following example in the hue.ini file, which you can use as a template:

[hadoop]
 [[hdfs_clusters]]
  # HA support by using HttpFs
 [[[default]]]
  # Use WebHdfs/HttpFs as the communication mechanism.
  # Domain should be the NameNode or HttpFs host.
  # Default port is 14000 for HttpFs.
  webhdfs_url=https://node1.cluster.com:14000/webhdfs/v1
      ....
  # SSL certificate based authentication
  ssl_cert=/path/to/certificate.pem
  ssl_key=/path/to/private_key.pem

Restart Hue.

maprcli node services -name hue -action start -nodes <ip_address>

To test that SSL encryption is enabled for HttpFS, run the following command:

curl -k --cert /path/to/certificate.pem --key /path/to/private_key.pem
"https://node1.cluster.com:14000/webhdfs/v1?op=GETFILESTATUS&user.name=mapr"

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0