Hue Authentication

This page describes properties in the Hue configuration file, hue.ini, that support authentication and Hue security in general.

For information on configuring Hue with Kerberos encrypting session communication, and enabling single sign-on with SAML, see:

Enabling LDAP Authentication with HiveServer2 and Impala

LDAP authentication with HiveServer2 and Impala can be enabled by setting the following properties under their respective sections in hue.ini, [beeswax] and [impala].

auth_username LDAP username of Hue user to be authenticated.
auth_password

LDAP password of Hue user to be authenticated.

These login details are only used by Impala and Hive to authenticate to LDAP. The Impala and Hive services trust Hue to have already validated the user being impersonated, rather than simply passing on the credentials.

Securing Sessions

When a session expires, the screen blurs and the user is automatically logged out of the Hue Web UI. Logging on returns the user to same location.

Session Timeout

User sessions are controlled with the ttl (time-to-live) property under [desktop]> [[session]] in hue.ini. After n seconds, the session expires whether active or not.

ttl

The cookie with the users session ID expires after n seconds.

Default: ttl=1209600 which is 60*60*24*14 seconds or 2 weeks

Idle Session Timeout

Idle sessions are controlled with the idle_session_timeout property under [desktop] > [[auth]] in hue.ini. Sessions that are idle for n seconds, expire. You can disable this property by setting it to a negative value.

idle_session_timeout

User session IDs expire after idle for n seconds. A negative value means idle sessions do not expire.

idle_session_timeout=900 means that sessions expire after being idle for 15 minutes

idle_session_timeout=-1 means that idle sessions do not expire (until ttl)

Secure Login

Login properties are set in hue.ini under [desktop] > [[auth]]. They are based on django-axes 1.5.0.

change_default_password If true, users must change password on first login.

Must enable backend=desktop.auth.backend.AllowFirstUserDjangoBackend

expires_after User accounts are disabled n seconds after logout. If negative, user sessions never expire.
expire_superusers Apply expires_after to superusers.
login_cooloff_time Failed logins are forgotten after n seconds.
login_failure_limit Number of login attempts allowed before a record is created for failed logins.
login_lock_out_at_failure If true, lock out IP after exceeding login_failure_limit.

If login_lock_out_by_combination_user_and_ip=true, lock out IP and user.

If login_lock_out_use_user_agent=true, also lock out user agent.

login_lock_out_by_combination_user_and_ip If true, lock out IP and user.
login_lock_out_use_user_agent If true, lock out user agent (such as a browser).

Secure Cookies

Secure session cookies can be enabled by specifying the secure configuration property under the [desktop]> [[session]] section in hue.ini. Additionally, you can set the http_only flag for cookies containing users' session IDs.

secure

The cookie with the user session ID is secure. Should only be enabled with HTTPS.

Default: false

http_only

The cookie with the user session ID uses the HTTP only flag.

Default: true

If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through a client side script.

expire_at_browser_close

Use session-length cookies. Logs out the user when the browser window is closed.

Default: false

Allowed HTTP Methods

You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.

http_allowed_methods

Default: options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.

ssl_cipher_list

Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL Redirect Whitelist

Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.

redirect_whitelist For example, to restrict users to your local domain and FQDN, the following value can be used: ^\/.*$,^http:\/\/www.mydomain.com\/.*$

Oozie Permissions

Access to the Oozie dashboard and editor can be individually controlled in the Hue Web UI under User Admin > Groups.
Groups Property in UI Description
oozie.dashboard_jobs_access Enable Oozie Dashboard read-only access for all jobs.

Default: true

oozie.disable_editor_access Disable Oozie Editor access.

Default: false