Configuring TLS/SSL for Hue

Hue as a TLS/SSL Client

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Hue acts as a TLS/SSL client when communicating with other services such as core Hadoop, HBase, Oozie and Amazon S3. This means Hue must authenticate HDFS, MapReduce, YARN daemons, the HBase Thrift server, and so on. To do so, Hue needs the certificate chains of their hosts in its truststore.

The Hue truststore is a single PEM file that contains the CA root, and all intermediate certificates, to authenticate the certificate installed on each TLS/SSL-enabled server. These servers host the various services with which Hue communicates.

Creating a Hue Truststore File in PEM Format

Server certificates are stored in JKS format and must be converted to PEM. To create the Hue truststore, extract each certificate from its keystore with keytool, convert to PEM format with openssl, and add to the truststore.

  1. Extract the certificate from the keystore of each TLS/SSL-enabled server with which Hue communicates.
    For example, hadoop-server.jks contains server certificate, foo-1.example.com, and password, example123.
    keytool -exportcert -keystore hadoop-server.jks -alias foo-1.example.com -storepass example123 -file foo-1.cert
  2. Convert each certificate into a PEM file.
    openssl x509 -inform der -in foo-1.cert > foo-1.pem
  3. Concatenate all the PEM certificates into one PEM file.
    cat foo-1.pem foo-2.pem foo-n.pem ... > hue_trustore.pem

Configuring Hue as a TLS/SSL Client with Cloudera Manager

  1. Go to the Hue service and click the Configuration tab.
  2. Filter by Scope > Hue Server and Category > Security.
  3. Find the property, Hue TLS/SSL Server CA Certificate (PEM Format), or ssl_cacerts.
  4. Enter the path to <hue_truststore>.pem on the host running the Hue web server.
  5. Click Save Changes.
  6. Select Actions > Restart to restart the Hue service.

Configuring Hue as a TLS/SSL Client at the Command Line

For unmanaged deployments only, manually set ssl_cacerts in hue.ini to the path of the <hue_truststore>.pem file:
[desktop]
# Path to default Certificate Authority certificates.
ssl_cacerts=/etc/hue/<hue_truststore>.pem

Hue as a TLS/SSL Server

Hue and other Python-based services expect certificates and keys to be stored in PEM format. You can manage such services with the openssl tool. To configure Hue to use HTTPS, generate a private key and certificate as described in Configuring TLS Encryption for Cloudera Manager and reuse a host's existing Java keystore by converting it to the PEM format. See Converting JKS Key and Certificate to PEM.

Enabling TLS/SSL for the Hue Server with Cloudera Manager

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

  1. Go to the Hue service and click Configuration.
  2. Filter by Scope > Hue Server and Category > Security.
  3. Edit the following TLS/SSL properties according to your cluster configuration.
    Property Description

    Enable TLS/SSL for Hue

    Encrypt communication between clients and Hue with TLS/SSL.

    Hue TLS/SSL Server Certificate File (PEM Format)

    ssl_certificate

    Path to TLS/SSL certificate on host running Hue web server.

    Hue TLS/SSL Server Private Key File (PEM Format

    ssl_private_key

    Path to TLS/SSL private key on host running Hue web server.

    Hue TLS/SSL Private Key Password

    ssl_password

    Password for private key in Hue TLS/SSL Server Certificate and Private Key file.

    You can also store ssl_password more securely in a script and set this parameter instead:
    ssl_password_script=<your_hue_passwords_script.sh>
    For more, see Storing Hue Passwords in a Script.

    To apply this configuration property to other role groups as needed, edit the value for the appropriate role group. See Modifying Configuration Properties Using Cloudera Manager.

  4. Click Save Changes.
  5. Select Actions > Restart to restart the Hue service.

For more details on configuring Hue with TLS/SSL, see this blog post.

Enabling TLS/SSL for the Hue Server at the Command Line

  1. Enable secure session cookies in hue.ini under [desktop]>[[session]].
    [desktop]
      [[session]]
      secure=true
  2. Edit the following properties in hue.ini under [desktop].
    [desktop]
     ssl_certificate=/path/to/server.cert
     ssl_private_key=/path/to/server.key
     ssl_password=<private_key_password>
    You can store ssl_password more securely in a script and set this parameter instead:
    ssl_password_script=<your_hue_passwords_script.sh>
    For more, see Storing Hue Passwords in a Script.

Enabling TLS/SSL for the Hue Load Balancer

To configure the Hue Load Balancer to use HTTPS or to make it act as a TLS/SSL server, you need a self-signed SSL certificate and a private key file. If the private key file is password protected then you must configure the Hue Load Balancer to use the corresponding key password.

  1. Sign in to the Cloudera Manager web interface as an Administrator.
  2. Go to Clusters > $Hue service > Configuration > Scope > Load Balancer and search for SSL.
  3. Enter the path to the file containing the server certificate key for TLS/SSL on the host running Hue Load Balancer in the Hue Load Balancer TLS/SSL Server Certificate File (PEM Format) field.

    The certificate file must be in PEM format.

  4. Enter the path TLS/SSL file containing the private key used for TLS/SSL on the host running Hue Load Balancer in the Hue Load Balancer TLS/SSL Server Private Key File (PEM Format) field.

    The certificate file must be in PEM format.

  5. (Optional) If the private key file is password protected:
    1. Create a password file in your chosen security directory and insert the private key password as shown in the following example:
      echo "abc123" > /etc/security/password.txt

      Where abc123 is the private key password and password.txt is the password file.

    2. Set the file ownership and permissions as shown in the following example:
      chown hue:hue password.txt
      chmod 700 password.txt
    3. Enter the path to the file containing the passphrase used to encrypt the private key of the Hue Load Balancer server in the Hue Load Balancer TLS/SSL Server SSLPassPhraseDialog field.
  6. Click Save Changes.
  7. Restart the Hue service.

Enabling Hue TLS/SSL Communication with HiveServer2

In CDH 5.5.x and higher, HiveServer2 is enabled for TLS/SSL communication by default.

To enable communication between Hue and HiveServer2 using TLS/SSL, Hue needs the Hive certificate and certificate chain.
  1. Log in to Cloudera Manager as an administrator.
  2. Go to Clusters > $Hue service > Configuration and add the following section in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field:
    [beeswax]
      [[ssl]]
        enabled=true ## default: false
        cacerts=/etc/hue/cacerts.pem ## Path to Certificate Authority certificates
        validate=true ##Choose whether Hue should validate certificates received from the server. Default: true
  3. Click Save Changes.
  4. Restart the Hue service.

Enabling Hue TLS/SSL Communication with Impala

In CDH 5.5.x and higher, Impala is enabled for TLS/SSL communication by default.

For Hue to communicate with Impala using TLS/SSL, Hue needs the Impala certificate and certificate chain.
  1. Log in to Cloudera Manager as an administrator.
  2. Go to Clusters > $Hue service > Configuration and add the following section in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field:
    [impala]
      [[ssl]]
        enabled=true ## default: false
        cacerts=/etc/hue/cacerts.pem ## Path to Certificate Authority certificates
        validate=true ##Choose whether Hue should validate certificates received from the server. Default: true
  3. Click Save Changes.
  4. Restart the Hue service.

Securing Database Connections using TLS/SSL

Hue uses different clients to communicate with each database internally. Client-specific options, such as secure connectivity can be configured using Cloudera Manager.

To enable TLS/SSL for the backend database:
  1. Log in to Cloudera Manager as an administrator.
  2. Go to Clusters > $Hue service > Configuration and add the following section in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field:
    [desktop] 
      [[databases]] 
        … 
        options={"ssl":{"ca":"/tmp/ca-cert.pem"}}
    This identifies the Certificate Authority (CA) certificate for the backend database. You can also identify public and private keys as follows:
    options='{"ssl": {"ca": "/tmp/newcerts2/ca.pem", "key": "/tmp/newcerts2/client-key.pem", "cert": “/tmp/newcerts2/client-cert.pem"}}'
  3. Click Save Changes.
  4. Restart the Hue service.

Storing Hue Passwords in a Script

In CDH 5.4, Hue added the ability to store passwords in a secure script and pull passwords from stdout. On startup, Hue runs one or more passwords scripts and grabs each password from stdout.

In hue_ini, add the suffix, _script, to any password property and set it equal to the script name. In Cloudera Manager, set these properties in the configuration field, ​Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini. For example:

[desktop]
ldap_username=hueservice
ldap_password_script="/var/lib/hue/<your_hue_passwords_script.sh> ldap_password"
ssl_password_script="/var/lib/hue/<your_hue_passwords_script.sh> ssl_password"

[[ldap]]
bind_password_script="/var/lib/hue/<your_hue_passwords_script.sh> bind_password"

[[database]]
password_script="/var/lib/hue/<your_hue_passwords_script.sh> database"

Store the script in a directory that only the hue user can read, write, and execute. You can have one script per password or one script with parameters for all passwords. Here is an example of a script with parameters for multiple passwords:

#!/bin/bash

SERVICE=$1

if [[ ${SERVICE} == "ldap_password" ]]
then
   echo "password"
fi

if [[ ${SERVICE} == "ssl_password" ]]
then
   echo "password"
fi

if [[ ${SERVICE} == "bind_password" ]]
then
   echo "Password1"
fi

if [[ ${SERVICE} == "database_password" ]]
then
   echo "password"
fi