Configuring Hue with Multiple Authentication Backends and LDAP

Configuring Hue with Multiple Authentication Backends and LDAP

In the upcoming Hue 3.9 release, Hue will support the ability to configure multiple authentication backends.

Hue already allows you to authenticate with several authentication services including LDAP, OpenID, SAML, database, etc. With this latest feature, you can now configure multiple authentication sources for Hue to check, in order of priority, when authenticating and authorizing users.

For example, to enable Hue to first attempt LDAP directory lookup before falling back to the database-backed user model, we can update the hue.ini configuration file or Hue safety valve in Cloudera Manager with a list containing first the LdapBackend followed by either the ModelBackend or custom AllowFirstUserDjangoBackend (permits first login and relies on user model for all subsequent authentication):

[desktop]
  [[auth]]
  backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend

This tells Hue to first check against the configured LDAP directory service, and if the username is not found in the directory, then attempt to authenticate the user with the Django user manager.

Note

With the exception of OAuth authentication, we can continue to add additional backends to this configuration setting in order of precedence. However, currently if OAuth authentication is configured it must be the only backend specified in hue.ini.

As usual feel free to comment and send feedback on the hue-user list or @gethue!

17 Comments

  1. Ruslan 1 year ago

    That’s great.. We upgraded to CDH 5.5 which has Hue 3.9. Cloudera Manager’s UI still has a radio buttons that allows to pick just one authentication method.

    • Hue Team 1 year ago

      Yes, this still needs to be changed manually in the Hue safety valve

  2. Sravan 1 year ago

    Hi,
    We have enabled LDAP on our Systems and was working fine for sometime.
    Since today, we weren’t able to login to HUE using admin user/admin users.

    Whereas, non admin users were able to login fine with their LDAP password.

    Any troubleshooting steps to reset admin password would be highly appreciated.

    I have tried to disable desktop.auth.backend.LdapBackend in Cloudera Manager and set the default to
    desktop.auth.backend.AllowFirstUserDjangoBackend and tried.
    But, doesnt work.

    Thanks in advance!

  3. Rakhee 1 year ago

    Hi,

    Can we add our own SSO mechanism. Is it possible with HUE? Other than LDAP

  4. Wilma 11 months ago

    On CDH 5.5, we are migrating a Hue installation from AllowFirstUserDjangoBackend to multiple backends: First LDAP, then AllowFirstUserDjangoBackend.

    The 20 or so users that were created locally have LDAP accounts under the same username as their LDAP account. Once the new authentication policy instated, I would like these users to authenticate to LDAP first; if that fails, the authentication would be attempted against their locally stored password. Hence, a user would be able to login with either her LDAP password or her local Hue password.

    Unfortunately, this does not work. I have asked users created as Hue users to login using their LDAP passwords, but they get locked-out immediately, with a message indicating they had exceeded some number of attempts. On the other hand, If the user happens to be a superuser, she is able to login.

    Is this expected behavior or a bug?

    • Wilma 11 months ago

      The first line of the 2nd paragraph should read:

      The 20 or so users that were created locally have LDAP accounts under the same username as their Hue account.

  5. Wilma 11 months ago

    OK, problem resolved. Not related to multiple backend, but rather to account expiration.

    On that topic, note that the superuser had no means to reactivate an expired account (at least that I know of). The ‘active’ checkbox does not achieve this . This omissin is a problem.

  6. Marco 4 months ago

    Hi everyone,
    is it possible to configure Hue (v 3.9) for authenticating with
    – first active directory and
    if this fails
    – check the LDAP banckend authentication?

    really thanks

    • Author
      Hue Team 4 months ago

      W​e use “desktop.auth.backend.LdapBackend” ​which can connect to AD and LDAP ​as multiple backend.
      This page: ​
      http://pythonhosted.org/django-auth-ldap/multiconfig.html​ explains how to hack it in Hue.

      But for simplicity and CM configuration generation Hue doesn’t support multiple ldap backend out of the box.

  7. Rotem Gabay 3 months ago

    Hi guys,
    in case I want to use kerberos authentication for hue,
    Can I use “AllowFirstUserDjangoBackend” , or Do I have to set “spengoDjangoBackend “?

Leave a reply

Your email address will not be published. Required fields are marked *

*