In the upcoming Hue 3.9 release, Hue will support the ability to configure multiple authentication backends.
Hue already allows you to authenticate with several authentication services including LDAP, OpenID, SAML, database, etc. With this latest feature, you can now configure multiple authentication sources for Hue to check, in order of priority, when authenticating and authorizing users.
For example, to enable Hue to first attempt LDAP directory lookup before falling back to the database-backed user model, we can update the hue.ini configuration file or Hue safety valve in Cloudera Manager with a list containing first the
LdapBackend followed by either the
ModelBackend or custom
AllowFirstUserDjangoBackend (permits first login and relies on user model for all subsequent authentication):
[desktop] [[auth]] backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend
This tells Hue to first check against the configured LDAP directory service, and if the username is not found in the directory, then attempt to authenticate the user with the Django user manager.
With the exception of OAuth authentication, we can continue to add additional backends to this configuration setting in order of precedence. However, currently if OAuth authentication is configured it must be the only backend specified in hue.ini.