This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Hue Security Configuration

The following sections describe how to configure Hue CDH 5 with Kerberos security, enabling single sign-on with SAML and encrypting communication between Hue and other services among other available configuration settings.

  Important:

To enable Hue to work with Kerberos security on your Hadoop cluster, make sure you perform the installation and configuration steps in Configuring Hadoop Security in CDH 5.

Hue Security Enhancements

Enabling SSL Communication with HiveServer2

By providing a CA certificate, private key, and public certificate, Hue can communicate with HiveServer2 over SSL. You can now configure the following properties in the [beeswax] section under [[ssl]] in the Hue configuration file, hue.ini.
enabled

Choose to enable/disable SSL communication for this server.

Default: false

cacerts

Path to Certificate Authority certificates.

Default: /etc/hue/cacerts.pem

key

Path to the private key file.

Default: /etc/hue/key.pem

cert

Path to the public certificate file.

Default: /etc/hue/cert.pem

validate

Choose whether Hue should validate certificates received from the server.

Default: true

Secure Database Connection

Connections vary depending on the database. Hue uses different clients to communicate with each database internally. They all specify a common interface known as the DBAPI version 2 interface. Client specific options, such as secure connectivity, can be passed through the interface. For example, for MySQL you can enable SSL communication by specifying the options configuration property under the desktop>[[database]] section in hue.ini.

[desktop]
  [[databases]]
    …
    options={"ssl":{"ca":"/tmp/ca-cert.pem"}}

Session Timeout

Session timeouts can be set by specifying the ttl configuration property under the [desktop]>[[session]] section in hue.ini.

ttl

The cookie containing the users' session ID will expire after this amount of time in seconds.

Default: 60*60*24*14

Secure Cookies

Secure session cookies can be enable by specifying the secure configuration property under the [desktop]>[[session]] section in hue.ini. Additionally, you can set the http-only flag for cookies containing users' session IDs.

secure

The cookie containing the users' session ID will be secure. Should only be enabled with HTTPS.

Default: false

http-only

The cookie containing the users' session ID will use the HTTP only flag.

Default: false

Allowed HTTP Methods

You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.

http_allowed_methods

Default: options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.

ssl_cipher_list

Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL Redirect Whitelist

Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.

redirect_whitelist

For example, to restrict users to your local domain and FQDN, the following value can be used:

^\/.*$,^http:\/\/www.mydomain.com\/.*$
Page generated September 3, 2015.