Configure Hue to use Kerberos (MRv1)
If you want to use Hue on a secure cluster that uses Kerberos, you will need to set up a Kerberos principal and keytab file, as well as modify some configuration files. Each step in the process is explained in the following sections.
You must have a proper SSL Certificate to upload files using the Hue File Browser over HTTPS (SSL). Self-signed certificates do not work.
Creating a Kerberos Principal
Set up the Kerberos principal and keytab file as shown in Configuring JobTracker with Kerberos.
Using Kerberos Tickets for Hue
Using the keytab and principal you created in the previous step, complete the following steps:
- Extract the Kerberos ticket from the keytab file.
- Optionally, enable the Kerberos ticket renewer.
Extracting the Kerberos Ticket from the keytab File
To extract the ticket from the keytab file, run the following
command (substitute your host and realm
for perfnode181.perf.lab@dev-maprtech
):
kinit -k -t /opt/mapr/conf/mapr.keytab -c /tmp/hue_krb5_ccache mapr/perfnode181.perf.lab@dev-maprtech
This command extracts the ticket
from mapr.keytab
and copies it to the path
to the Kerberos ticket file used by Hue.
Enabling the Kerberos Ticket Renewer
Kerberos tickets have a default expiration time of 7 days. If you plan to use the Hue Kerberos ticket renewer in your cluster, enable this functionality by making changes to these two files:
-
kdc.conf
(add themax_renewable_life
parameter) -
krb5.conf
(add therenew_lifetime
parameter)
Modifying the hue.ini File
In the kerberos
section of the hue.ini
file, make the
following changes:
- Supply the path to Hue's kerberos keytab file.
- Supply the kerberos principal name for Hue.
- Supply the path to kinit.
- Configure the following in the
[[mapred_clusters]] [[[default]]]
section:-
For versions prior to Hue 3.7-1505: Set
security_enabled=True
. -
For Hue 3.7 versions prior to Hue 3.7-1505: Set
mechanism=GSSAPI
.
-
For versions prior to Hue 3.7-1505: Set
-
For Hue with secure Hive: In the
beeswax
section, make sure that thehive_conf_dir
property points to a directory containing a validhive-site.xml
file (either the original or a synced copy). -
For Hue with secure Hive: Provide the fully-qualified domain name (FQDN) for
the
hive_server_host
.NOTE:For Hue to work with HiveServer2 with security enabled, you must provide the fully-qualified domain name (FQDN) for the
hive_server_host
. This must match the FQDN of thehue_principal
property. - Optional: To enable SSL encryption, see Enable SSL Encryption Between Hue and Hive.
-
For Oozie only: Set the
oozie_url
parameter in theliboozie
section.NOTE: For Hue to work with Oozie with security enabled, you must provide the URL where the Oozie service is running by setting theoozie_url
parameter in theliboozie
section. -
For Hbase with Hue 3.7 versions prior to Hue 3.7-1505: Set
mechanism=GSSAPI
in the[hbase]
section.
The changes are summarized in the following hue.ini
files, which you
can use as a template:
[desktop]
[[kerberos]]
# Path to Hue's Kerberos keytab file
hue_keytab=/opt/mapr/conf/mapr.keytab
# Kerberos principal name for Hue
# hue_principal=mapr/<hostname>@<realm>
# Substitute your hostname and realm in the example below
hue_principal=mapr/perfnode181.perf.lab@dev-maprtech
# Path to kinit
# Note that the actual path depends on which Linux OS you are using
kinit_path=/usr/bin/kinit
[beeswax]
# If Kerberos security is enabled, use fully-qualified domain name
# (FQDN)
hive_server_host=perfnode181.perf.lab
# Hive configuration directory, where hive-site.xml is located.
hive_conf_dir=/opt/mapr/hive/hive-<version>/conf
[hadoop]
[[mapred_clusters]]
[[[default]]]
# Enter the host on which you are running the Hadoop JobTracker
## jobtracker_host=perfnode181.perf.lab
# jobtracker kerberos principal name
jt_kerberos_principal=mapr
# Change this if your MapReduce cluster is secured
security_enabled=${security_enabled}
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
[liboozie]
# The URL where the Oozie service runs on. This is required in order for
# users to submit jobs.
oozie_url=http://perfnode181.perf.lab:11000/oozie
# Requires FQDN in oozie_url if enabled
security_enabled=${security_enabled}
[hbase]
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
security_enabled
and
mechanism
properties are automatically configured based on cluster
configuration. Therefore, you do not need to configure values. Modifying the env.sh File
The env.sh
file contains a setting for
MapR login options that defaults to the
value maprsasl
. Change this value
to hybrid
, which includes Kerberos and other
security protocols.
The new line (after the change) should look like this:
MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"
Modifying the core-site.xml File
In the core-site.xml
file, provide the
shortname for the Kerberos principal as shown. In addition,
verify that you configured the proxyuser during configuration.
See Modifying the core-site.xml File for details..
<!-- Hue security configuration -->
<property>
<name>hue.kerberos.principal.shortname</name>
<value>mapr</value>
</property>
<property>
<name>hadoop.proxyuser.mapr.groups</name>
<value>*</value> <!-- A group that all users of Hue belong to, or the wildcard value "*" -->
</property>
<property>
<name>hadoop.proxyuser.mapr.hosts</name>
<value><hue_server_FQDN></value>
</property>
<property>
<name>hadoop.rpc.protection</name>
<value>authentication</value>
</property>
hadoop.rpc.protection
property to
authentication
, you might not be able to view job
details in the Job Browser.
Restarting Warden and Hue
After you make all the changes to the files listed above, restart Warden and Hue so the changes will take effect.