Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

For Hue to work properly with a secure Kerberos cluster deployed with Cloudera Manager, you must add the Kerberos Ticket Renewer to the Hue service. You can do so in Cloudera Manager by adding a Kerberos Ticket Renewer role instance on each host with a Hue Server role.

The Hue Kerberos Ticket Renewer only renews tickets for the Hue service principal, hue/<hostname>@<YOUR-REALM.COM>. The Hue principal impersonates other users for applications within Hue such as the Job Browser, File Browser and so on.

Core Hadoop services such as HDFS and MapReduce do not use the Hue Kerberos Ticket Renewer. They obtain tickets at startup and use those tickets to obtain Delegation Tokens for variou access privileges. Each service handles its own ticket renewal as needed.

Adding a Kerberos Ticket Renewer role instance in Cloudera Manager:
  1. Go to the Hue service.
  2. Click the Instances tab.
  3. Click the Add Role Instances button.
  4. Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.

    When the wizard status is Finished, the Kerberos Ticket Renewer role instance is configured. The Hue service now works with the secure Hadoop cluster.

  5. Repeat these steps for each Hue Server role.

Troubleshooting the Kerberos Ticket Renewer:

If the Hue Kerberos Ticket Renewer does not start, check the configuration of your Kerberos Key Distribution Center (KDC). Look at the ticket renewal property, maxrenewlife, to ensure that the principals, hue/<hostname> and krbtgt, are renewable. If these principals are not renewable, run the following commands on the KDC to enable them:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM