Pivotal Knowledge Base

Follow

How to configure Hue to access Hadoop services using Kerberos

Environment

Product Version
Pivotal HD 3.0.x
OS RHEL 6.x

Purpose

This article discusses how to configure Hue to access Hadoop services using Kerberos.

Please refer to the procedure in this article if you want to use Hue to access Hadoop services secured with Kerberos.

Procedure

1. Create a Hue user principal in the same realm as the Hadoop cluster on KDC server

# addprinc -randkey hue/<FQDN>@<REALM>

Replace <FQDN> with the fully qualified domain name of  the host where the Hue server is running.

Replace <REALM> with the name of your Kerberos realm.

In the examples of this article FQDN will be admin.hadoop.local and REALM will be PIVOTAL.IO.

# kadmin.local -q "addprinc -randkey hue/admin.hadoop.local@PIVOTAL.IO"

2. Create a keytab file with Hue user principal

# kadmin.local -q "xst -k /root/keytabs/hue.service.keytab hue/admin.hadoop.local@PIVOTAL.IO"

3. Distribute the keytab file to the machine that run Hue server. Normally put the file to /etc/security/keytabs/

4. Change ownership of the keytab file to be owned by the user that runs Hue server and group hadoop. And change permission of the keytab file to 400

5. Test that the keytab file works

# kinit -kt /etc/security/keytabs/hue.service.keytab hue/admin.hadoop.local@PIVOTAL.IO
[root@admin keytabs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hue/admin.hadoop.local@PIVOTAL.IO Valid starting Expires Service principal
12/01/15 07:59:48 12/02/15 07:59:48 krbtgt/PIVOTAL.IO@PIVOTAL.IO
renew until 12/01/15 07:59:48

6. Edit kerberos section in hue.ini configuration file (typically under /etc/hue/conf) on the host running the Hue server

[[kerberos]]
# Path to Hue's Kerberos keytab file
hue_keytab=/etc/security/keytabs/hue.service.keytab # Kerberos principal name for Hue
hue_principal=hue/admin.hadoop.local@PIVOTAL.IO # Path to kinit
kinit_path=/usr/bin/kinit ## Frequency in seconds with which Hue will renew its keytab. Default 1h.
reinit_frequency=3600 ## Path to keep Kerberos credentials cached.
ccache_path=/tmp/hue_krb5_ccache [[hdfs_clusters]]   [[[default]]]
  # Enter the filesystem uri
  fs_defaultfs=hdfs://<namenode host>:<namenode port>   webhdfs_url=http://<HttpFS server FQDN>:<HttpFS server port>/webhdfs/v1   security_enabled=true [hcatalog]
  security_enabled=true [beeswax]   hive_conf_dir=/etc/hive/conf

Note:

  • Replace principal names and path of the keytab file accordingly.
  • If you need to use Beeswax interface in Hue, ensure hive_conf_dir is set to correct Hive configuration directory where Kerberos configuration parameters are correctly set already.

7. Edit core-site.xml configuration file on Ambari web UI by add following properties. Restart of HDFS service is needed to take the changes into effect

<property>
<name>hue.kerberos.principal.shortname</name>
<value>hue</value>
</property> <property>
<name>hadoop.proxyuser.hue.hosts</name>
<value>*</value>
</property> <name>hadoop.proxyuser.hue.groups</name>
<value>*</value>
</property>

8. Restart the Hue service.

# service hue restart 

Additional Information

References:

Comments

Powered by Zendesk