Auditing User Administration Operations with Hue and Cloudera Navigator

Auditing User Administration Operations with Hue and Cloudera Navigator

With the latest release of Hue 3.9, we’ve added an additional layer of monitoring for Hue administrators.

Hue user administration operations can now be audited and written to a configurable audit log. Administrators can then use Cloudera Navigator’s Auditing Component to view, search, filter, and generate reports on these audited events.

Navigator blog post diagram

Tracking and audit events like the logins in Hue


Hue admins can thus easily monitor superuser operations such as adding/editing users and groups, editing permissions, and user logins/logouts. Most importantly, admins can easily detect when unauthorized attempts at these operations have been made, and capture the related metadata for those unauthorized attempts.

To enable and configure the log file used for the audit log, there are 2 new configuration properties that have been added to the hue.ini file, and can be overridden in Cloudera Manager’s Service Access Audit Log Properties controls.

# The directory where to store the auditing logs. Auditing is disable if the value is empty.
# e.g. /var/log/hue/audit.log

# Size in KB/MB/GB for audit log to rollover.

After configuring the audit log and restarting Hue, you can then start viewing the audited operations by tailing the log:

$ tail logs/audit.log

{"username": "admin", "impersonator": "hue", "eventTime": 1447271632364, "operationText": "Successful login for user: admin", "service": "accounts", "url": "/accounts/login/", "allowed": true, "operation": "USER_LOGIN", "ipAddress": ""}
{"username": "admin", "impersonator": "hue", "eventTime": 1447271704937, "operationText": "Created Group: admins, with member(s): jennykim, admin, hue", "service": "useradmin", "url": "/useradmin/groups/new", "allowed": true, "operation": "CREATE_GROUP", "ipAddress": ""}
{"username": "admin", "impersonator": "hue", "eventTime": 1447271778278, "operationText": "Created Group: readonly, with member(s): ", "service": "useradmin", "url": "/useradmin/groups/new", "allowed": true, "operation": "CREATE_GROUP", "ipAddress": ""}
{"username": "admin", "impersonator": "hue", "eventTime": 1447271788277, "operationText": "Successfully edited permissions: useradmin/access", "service": "useradmin", "url": "/useradmin/permissions/edit/useradmin/access", "allowed": true, "operation": "EDIT_PERMISSION", "ipAddress": ""}

Each audited record contains fields for:

  • username of the user executing the action
  • impersonator user (always “hue” in this case)
  • eventTime in milliseconds since epoch
  • allowed, true if operation was authorized, false otherwise
  • operationText, descriptive text of the operation
  • service
  • url
  • ipAddress of client

Currently, Hue audits the following authentication and useradmin actions:


If you are running Hue with Cloudera Enterprise, you can then view and manage the audit report from Cloudera Navigator and filter on the Service Name for Hue, in this case “HUE-1”:

Navigator Audits

Navigator Audits


You can expand any audit record to view the metadata for a given operation, including whether it was allowed/authorized, the impersonated user and additional details specific to the operation.

Navigator Audit Details

Navigator Audit Details


Hue + Navigator provide rich data discovery, audit and policy enforcement features and Hue is evolving in a more enterprise compliance friendly product. If you have any questions, feel free to comment here or on the hue-user list or @gethue!


  1. Suresh K 3 years ago

    I have synced the Active directory with in the HUE
    though i choose the option to “not create home directories” upon user login
    Its creating user directories in my hdfs-file-system
    I don’t want that behavior
    Could you please provide me a solution for that?

  2. Suresh K 3 years ago

    yes its the same property
    This is my current configuration file, where i changed this property create_users_on_login=false in
    and also sync ldap users as suggested using hue.


    when ever a user logs into hue interface
    a directory is being created in hadoop file system
    Its creating a lot of dummy directories, which we actually don’t need

  3. Suresh K 3 years ago

    Though i uncheck the option “create home directory”
    Its creating user directories in hadoop-file-system
    I feel there is a bug, correct me if am wrong

    • Hue Team 3 years ago

      The create home directory box only has effects on this page.

      Which backend are you using? I think it will create the HDFS home of the user automatically (as a user can’t submit jobs by default without a home)

  4. suresh 3 years ago

    I dont want HUE to create HDFS user directories on user’s login, we want users to follow our predefined shell scripts to create hdfs user directories.
    Is there a good way to disable the auto-creation of user directories?

  5. suresh 3 years ago

    Hue Team,
    I am awaiting for your reply
    Am using Cloudera hadoop as the back-end

  6. bharath 3 years ago

    what are the alternatives , if we are not using cloudera navigator

    • Author
      Hue Team 3 years ago

      Currently only Navigator API is supported

      • Aerin 2 years ago

        Hey, dear Hue Team, I have the same question. I want to enable Hue Audit log, but I don’t want to use Cloudera Navigator. I saw your reply was 11 months ago, just want to know if there is any updates. Can we enable hue audit log without navigator now?


        • Author
          Hue Team 2 years ago

          Feel free to enable it, Hue will produce an audit.log file, but Navigator will just not pick it up as it won’t exist.

  7. Aerin 2 years ago

    Hi, dear Hue Team, thank you for your fast answer. So do you mean with Hue 3.9.0, we can enable the audit logging without Nav? We have Cloudera Manager(5.11.1) installed, the Hue version is 3.9.0. When I tried to change it through Cloudera Manager->Hue->Configuration, ‘audit_event_log_dir’, it generated a folder and I have no access. So I am wondering if I should do this in the latest version (Hue 3.12 or Hue 4) . Thanks again:)!

    • Author
      Hue Team 2 years ago

      Are you trying to fix/create the ‘audit_event_log_dir’ so that Hue can write the logs there?

  8. Vijay 6 months ago

    Hi Team,

    How can I Capture user’s windows login in Hue audit log.

    For example, windows user xxx and logging into hue with user yyyy, how can i find that xxx logged in with yyyy

    Also how to find the queries executed through user xxx

    • Author
      Hue Team 6 months ago

      You should see something like this in the logs
      [17/Oct/2018 07:43:52 +0000] access WARNING romain - "POST /hue/accounts/login HTTP/1.1" (mem: 142mb)-- Successful login for user: romain
      [17/Oct/2018 07:43:52 +0000] access INFO romain - "POST /hue/accounts/login HTTP/1.1" returned in 249ms (mem: 142mb)
      [17/Oct/2018 07:43:52 +0000] middleware DEBUG {"username": "romain", "impersonator": "hue", "eventTime": 1539787432311, "operationText": "Successful login for user: romain", "service": "hue", "url": "/hue/accounts/login", "allowed": true, "operation": "USER_LOGIN", "ipAddress": ""}
      [17/Oct/2018 07:43:52] "POST /hue/accounts/login HTTP/1.1" 302 0
      [17/Oct/2018 07:43:52 +0000] access INFO romain - "GET / HTTP/1.1" returned in 2ms (mem: 142mb)

      and the trace in audit.logs

Leave a reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.