Configuring TLS/SSL for Hue

Hue as a TLS/SSL Client

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Hue acts as an TLS/SSL client when communicating with Oozie, HBase and core Hadoop services. This means Hue may have to authenticate HDFS, MapReduce, and YARN daemons, as well as the HBase Thrift Server, and will need their certificates (or the relevant CA certificate) in its truststore.

Deploying the Hue Truststore:

You can create the Hue truststore by consolidating certificates of all TLS/SSL-enabled servers (or a single CA certificate chain) that Hue communicates with into one file. This will generally include certificates of all the HDFS, MapReduce and YARN daemons, and other TLS/SSL-enabled services such as Oozie..

The Hue truststore must be in PEM format whereas other services use JKS format by default. Hence, to populate the Hue truststore, you will need to extract the certificates from Hadoop's JKS keystores and convert them to PEM format. The following example assumes that hadoop-server.keystore contains the server certificate identified by alias foo-1.example.com and password example123.
$ keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com \
        -storepass example123 -file foo-1.cert
$ openssl x509 -inform der -in foo-1.cert > foo-1.pem
Once you've done this for each host in the cluster, you can concatenate the PEM files into one PEM file that can serve as the Hue truststore.
cat foo-1.pem foo-2.pem ... > huetrust.pem
In Cloudera Manager, set TLS/SSL Truststore to the path of the consolidated PEM file, huetrust.pem:
  1. Logon to Cloudera Manager Admin Console and go to the Hue service.
  2. Click Configuration.
  3. Select Scope > Hue Server.
  4. Select Category > Security.
  5. Find the property, TLS/SSL Truststore.
  6. Enter the path to huetrust.pem on the host running the Hue web server.
  7. Click Save Changes.
  8. Restart the Hue service.

Hue as a TLS/SSL Server

Hue expects certificates and keys to be stored in PEM format. When managing certificates and keys for such services, using the openssl tool may be more convenient. To configure Hue to use HTTPS, you can generate a private key and certificate as described in Creating Certificates. Since Hue uses certificates in PEM format, you can reuse a host's existing Java keystore by converting it to the PEM format. For instructions, see Conversion from Java Keystore to OpenSSL.

Ensure secure session cookies for Hue have been enabled in hue.ini under [desktop]>[[session]].
[desktop]
  [[session]]
  secure=true

Enabling TLS/SSL for the Hue Server at the Command Line

If you are not using Cloudera Manager, update the following properties in hue.ini under [desktop].
[desktop]
 ssl_certificate=/path/to/server.cert
 ssl_private_key=/path/to/server.key
 ssl_password=<private_key_password>
You can also store ssl_password more securely in a script and set this parameter instead:
ssl_password_script=<your_hue_passwords_script.sh>
For more, see Storing Hue Passwords in a Script.

Enabling TLS/SSL for the Hue Server in Cloudera Manager

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Perform the following steps in Cloudera Manager to enable TLS/SSL for the Hue web server.
  1. Open the Cloudera Manager Admin Console and go to the Hue service.
  2. Click Configuration.
  3. Select Scope > Hue Server.
  4. Select Category > Security.
  5. Edit the following TLS/SSL properties according to your cluster configuration.
    Property Description
    Enable HTTPS Enable HTTPS for the Hue web server.
    Local Path to TLS/SSL Certificate Path to the TLS/SSL certificate on the host running the Hue web server.
    Local Path to TLS/SSL Private Key Path to the TLS/SSL private key on the host running the Hue web server.
    If the private key has a password:
    1. Select Scope > Hue-1 (Service-Wide).
    2. Select Category > Advanced.
    3. Locate the field, Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini.
    4. Add the TLS/SSL password parameter in the [desktop] section as follows:
      [desktop]
      ssl_password=<private_key_password>
      You can also store ssl_password more securely in a script and set this parameter instead:
      ssl_password_script=<your_hue_passwords_script.sh>
      For more, see Storing Hue Passwords in a Script.

    If more than one role group applies to this configuration, edit the value for the appropriate role group. See Modifying Configuration Properties Using Cloudera Manager.

  6. Click Save Changes.
  7. Restart the Hue service.
For more details on configuring Hue with TLS/SSL, see this blog post.

Enabling Hue TLS/SSL Communication with HiveServer2

In CDH 5.5.x and higher, HiveServer2 is enabled for TLS/SSL communication by default.

By providing a CA certificate, private key, and public certificate, Hue can communicate with HiveServer2 over TLS/SSL. You can now configure the following properties in the [beeswax] section under [[ssl]] in the Hue configuration file, hue.ini.
enabled

Choose to enable/disable TLS/SSL communication for this server.

Default: false

cacerts

Path to Certificate Authority certificates.

Default: /etc/hue/cacerts.pem

validate

Choose whether Hue should validate certificates received from the server.

Default: true

Enabling Hue TLS/SSL Communication with Impala

By providing a CA certificate, private key, and public certificate, Hue can communicate with Impala over TLS/SSL. You can configure the following properties in the [impala] section under [[ssl]] in the Hue configuration file, hue.ini.
enabled

Choose to enable/disable TLS/SSL communication for this server.

Default: false

cacerts

Path to Certificate Authority certificates.

Default: /etc/hue/cacerts.pem

validate

Choose whether Hue should validate certificates received from the server.

Default: true

Securing Database Connections using TLS/SSL

Connections vary depending on the database. Hue uses different clients to communicate with each database internally. Client specific options, such as secure connectivity, can be passed through the interface.

For example, for MySQL you can enable TLS/SSL communication by specifying the options configuration property under the desktop>[[database]] section in hue.ini. Here we identify the Certificate Authority (CA) certificate:

[desktop] 
  [[databases]] 
    … 
    options={"ssl":{"ca":"/tmp/ca-cert.pem"}}
You can also identify public and private keys, for example:
options='{"ssl": {"ca": "/tmp/newcerts2/ca.pem", "key": "/tmp/newcerts2/client-key.pem", "cert": "/tmp/newcerts2/client-cert.pem"}}'

Storing Hue Passwords in a Script

In CDH 5.4, Hue added the ability to store passwords in a secure script and pull passwords from stdout. On startup, Hue runs one or more passwords scripts and grabs each password from stdout.

In hue_ini, add the suffix, _script, to any password property and set it equal to the script name. In Cloudera Manager, set these properties in the configuration field, ​Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini. For example:

[desktop]
ldap_username=hueservice
ldap_password_script="/var/lib/hue/<your_hue_passwords_script.sh> ldap_password"
ssl_password_script="/var/lib/hue/<your_hue_passwords_script.sh> ssl_password"

[[ldap]]
bind_password_script="/var/lib/hue/<your_hue_passwords_script.sh> bind_password"

[[database]]
password_script="/var/lib/hue/<your_hue_passwords_script.sh> database"

Store the script in a directory that only the hue user can read, write, and execute. You can have one script per password or one script with parameters for all passwords. Here is an example of a script with parameters for multiple passwords:

#!/bin/bash

SERVICE=$1

if [[ ${SERVICE} == "ldap_password" ]]
then
   echo "password"
fi

if [[ ${SERVICE} == "ssl_password" ]]
then
   echo "password"
fi

if [[ ${SERVICE} == "bind_password" ]]
then
   echo "Password1"
fi

if [[ ${SERVICE} == "database_password" ]]
then
   echo "password"
fi