Configure Hue with HTTPS / SSL

Configure Hue with HTTPS / SSL

SSL / HTTPS is often not simple. Here is some light in addition to the Cloudera Security guide that should help.

 

SSL between your browser and Hue

To configure Hue to use HTTPS we need a self signed SSL certificate that does not require a passphrase.

Here is how to generate a private key and a self-signed certificate for the Hue server:

openssl genrsa 4096 > server.key

openssl req -new -x509 -nodes -sha1 -key server.key > server.cert


Note
: answer the questions that follow (complete example below). Entering the hostname for the server is important.

Note: you will have to tell your browser to “trust” the self signed server certificate

 

Then in the Hue configuration in CM or in the hue.ini:

  • Check Enable HTTPS
  • Enter path to server.cert in Local Path to SSL Certificate (ssl_certificate)
  • Enter path to server.key in Local Path to SSL Private Key (ssl_private_key)

Make sure Hue is setting the cookie as secure.

Note: when using a load balanced you might need to set in certain case secure_proxy_ssl_header.

 

hue-with-https

 

Here is an example of creation of a certificate for enabling SSL:

[[email protected] hue]# pwd
/home/hue
[[email protected] hue]# ls
cacerts  cert  key

Generate a private key for the server:

[[email protected] hue]# openssl genrsa -out key/server.key 4096

Generate a “certificate request” for the server:

[[email protected] hue] openssl req -new -key key/server.key -out request/server.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank. For some fields there will be a default value, if you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:US
 State or Province Name (full name) []:Colorado
 Locality Name (eg, city) [Default City]:Denver
 Organization Name (eg, company) [Default Company Ltd]:Cloudera
 Organizational Unit Name (eg, section) []:COE
 Common Name (eg, your name or your server's hostname) []:test.lab
 Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:  ## note this was left
An optional company name []:

Self-sign the request, creating a certificate for the server:

[[email protected] hue] openssl x509 -req -days 365 -in request/server.csr -signkey key/server.key -out cert/server.crt
 Signature ok
 subject=/C=US/ST=Colorado/L=<wbr />Denver/O=Cloudera/OU=COE/CN=test.lab
 Getting Private key

[[email protected] hue]# ls -lR
.
 total 16
 drwxr-xr-x 2 hue  root 4096 Jul 16 18:04 cacerts
 drwxr-xr-x 2 root root 4096 Jul 31 10:02 cert
 drwxr-xr-x 2 root root 4096 Jul 31 09:46 key
 drwxr-xr-x 2 root root 4096 Jul 31 10:00 request
 ./cacerts:
 total 4
 -rw-r--r-- 1 hue root 2036 Jul 16 18:04 win2k8x64-ad2-ca.pem
 ./cert:
 total 4
 -rw-r--r-- 1 root root 1907 Jul 31 10:02 server.crt
 ./key:
 total 4
 -rw-r--r-- 1 root root 3243 Jul 31 09:49 server.key
 ./request:
 total 4
 -rw-r--r-- 1 root root 1704 Jul 31 10:00 server.csr

 

SSL between Hue and the Hadoop components

The above was for having the Web browser use SSL when talking with Hue. In order to have Hue use SSL for talking to YARN, Hive, HDFS, … we need another property: REQUESTS_CA_BUNDLE as described in HUE-2082 (and sometimes more in the case of Hive for example).

 

I discovered that Hue’s truststore (the file pointed to by REQUESTS_CA_BUNDLE) has to contain the certificate not only of the NameNode, but of other nodes as well. I don’t know exactly which other nodes, but I suspect it’s every node that has a DataNode role. It’s easiest just to assume that the certs for all nodes need to be in the Hue truststore.

This is because we’re using self-signed test certs, not CA-signed certs. If we were using CA-signed certs, we could just put the CA cert chain in the Hue truststore.

Also, the Hue truststore has to be in PEM file format. At Cloudera we are using the JKS format for Hadoop SSL. So in order to populate the Hue truststore, you have to extract the certificates from the JKS keystores and convert them to PEM format. Here are the commands for doing that, given a JKS keystore called hadoop-server.keystore, on a host named foo-1.ent.cloudera.com:

keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.cloudera.com \
        -storepass cloudera -file foo-1.cert
openssl x509 -inform der -in foo-1.cert > foo-1.pem

Once you’ve done this for each host in the cluster, you can concatenate the .pem files into one .pem file which can serve as the Hue truststore:

cat foo-1.pem foo-2.pem ... > huetrust.pem

After running it, set REQUESTS_CA_BUNDLE in the Hue environment safety valve to /etc/hadoop/ssl-conf/huetrust.pem

hue-contact-https

 

Here is an interesting link if you want to read more about generating SSL certificates.

 

As usual feel free to comment and send feedback on the hue-user list or @gethue!

 

 

 

5 Comments

  1. Elia 3 years ago

    Hi,
    I tried to follow your steps, but while getting to this command: openssl x509 -req -days 365 -in request/server.csr -signkey key/server.key -out cert/server.crt
    I had the same message but when i launch ls command i don’t find the .pem file.
    So my question is how did you do to get it in the cacerts folder?
    Cause even if i execute keytool commands it didn’t find hadoop-server.keystore
    Thank you

  2. Jeff Parsons 2 years ago

    Can you provide more details on how to configure Hue to work in conjunction with a load balancer (like a BigIP F5) to terminate SSL load balancer?

    I’ve turned these options on, but have had no luck in making this work as expected:
    [[desktop]]
    secure_proxy_ssl_header=true
    [[session]]
    secure=false

    Hue is interesting rewriting HTTPS calls to HTTP for some reason which is causing issues. I’m guessing I might need to dig into django to get these redirects to stop?

  3. Hue Team 2 years ago

    The setting above tells Hue to send the header HTTP_X_FORWARDED_PROTOCOL’, ‘https’
    e.g. with NGINX
    http://stackoverflow.com/questions/11943491/accessing-django-admin-over-https-behind-nginx

    You might need to turn it on in F5 too?
    https://devcentral.f5.com/questions/how-to-set-https-header

  4. bharath 1 year ago

    how to include root and intermediate certs in hue.ini ?

    • Author
      Hue Team 1 year ago

      [desktop]
      ssl_cacerts=/path/to/file.pem

      Both root and all intermediates should be in the same PEM file.

Leave a reply

Your email address will not be published. Required fields are marked *

*