How to configure Hue to access Hadoop services using Kerberos
search cancel

How to configure Hue to access Hadoop services using Kerberos

book

Article ID: 294801

calendar_today

Updated On:

Products

Services Suite

Issue/Introduction

This article discusses how to configure Hue to access Hadoop services using Kerberos.


Environment


Resolution

1. Create a Hue user principal in the same realm as the Hadoop cluster on a KDC server.

# addprinc -randkey hue/<FQDN>@<REALM>

Replace <FQDN> with the fully qualified domain name of the host where the Hue server is running.

Replace <REALM> with the name of your Kerberos realm.

In the examples discussed in this article, FQDN will be admin.hadoop.local and REALM will be PIVOTAL.IO.

# kadmin.local -q "addprinc -randkey hue/[email protected]"

2. Create a keytab file with the Hue user principal.

# kadmin.local -q "xst -k /root/keytabs/hue.service.keytab hue/[email protected]"

3. Distribute the keytab file to the machine that runs the Hue server. Normally put the file in /etc/security/keytabs/.


4. Change the ownership of the keytab file to be owned by the user that runs the Hue server and group Hadoop. Change the permission of the keytab file to 400.


5. Test that the keytab file works.

# kinit -kt /etc/security/keytabs/hue.service.keytab hue/[email protected]
[root@admin keytabs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hue/[email protected]

Valid starting Expires Service principal
12/01/15 07:59:48 12/02/15 07:59:48 krbtgt/[email protected]
 renew until 12/01/15 07:59:48

6. Edit the kerberos section in the hue.ini configuration file (typically under /etc/hue/conf) on the host running the Hue server.

[[kerberos]]

# Path to Hue's Kerberos keytab file
 hue_keytab=/etc/security/keytabs/hue.service.keytab

# Kerberos principal name for Hue
 hue_principal=hue/[email protected]

# Path to kinit
 kinit_path=/usr/bin/kinit

## Frequency in seconds with which Hue will renew its keytab. Default 1h.
 reinit_frequency=3600

## Path to keep Kerberos credentials cached.
 ccache_path=/tmp/hue_krb5_ccache

[[hdfs_clusters]]

 [[[default]]]
 # Enter the filesystem uri
 fs_defaultfs=hdfs://<namenode host>:<namenode port>

 webhdfs_url=http://<HttpFS server FQDN>:<HttpFS server port>/webhdfs/v1

 security_enabled=true

[hcatalog]
 security_enabled=true

[beeswax]

 hive_conf_dir=/etc/hive/conf

Note:

  • Replace principal names and paths of the keytab file accordingly.
  • If you need to use Beeswax interface in Hue, ensure hive_conf_dir is set to correct Hive configuration directory where Kerberos configuration parameters are correctly set already.

7. Edit the core-site.xml configuration file on Ambari web UI by adding the following properties. Restart the HDFS service to have the changes take effect.

<property>
  <name>hue.kerberos.principal.shortname</name>
  <value>hue</value>
</property>

<property>
  <name>hadoop.proxyuser.hue.hosts</name>
  <value>*</value>
</property>

  <name>hadoop.proxyuser.hue.groups</name>
  <value>*</value>
</property>

8. Restart the Hue service.

#service hue restart


    Additional Information

    References:



    Powered by Wolken Software