How to use Hue with Hive and Impala configured with LDAP authentication and SSL

How to use Hue with Hive and Impala configured with LDAP authentication and SSL

We previously showed in detail how to use SSL encryption with the Impala or Hive Editors. Here is now a step by step guide about how to use LDAP authentication instead of no authentication or Kerberos.

Note: this requires Hue 3.7 or CDH5.2

1.
HiveServer2 had SSL enabled so Hive Editor could not connect to HiveServer2. HiveServer2 logs showed SSL errors indicating that it received plaintext (good hint at the cause)

Solved by adding this to the Hue Safety Valve:

(validate was false since their certificates used wildcards and this caused other errors)

Note: If not using SSL, you will hit this bug: HUE-2484

2.
The same Hue behavior occurred after making the change, but now the HiveServer2 log showed authentication failure due to err=49

So, we added the following to the Hue Safety Valve:

[beeswax]
  [[ssl]]
  ## Path to Certificate Authority certificates.
  cacerts=/etc/hue/cacerts.pem
  ## Choose whether Hue should validate certificates received from the server.
  validate=false

or

[impala]
  [[ssl]]
  ## SSL communication enabled for this server.
  enabled=false
  ## Path to Certificate Authority certificates.
  cacerts=/etc/hue/cacerts.pem
  ## Choose whether Hue should validate certificates received from the server.
  validate=false

3.
Hue still showed the same behavior. HiveServer2 logs showed:

<HUE_LDAP_USERNAME> is not allowed to impersonate bob

We solved this by adding the following to the HDFS > Service-Wide ->Advanced>Safety Valve for core-site.xml.

<property>
  <name>hadoop.proxyuser.<HUE_LDAP_USERNAME>.hosts</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.<HUE_LDAP_USERNAME>.groups</name>
  <value>*</value>
</property>

4.
After this, the default database was displayed, but we could not do a show tables; or anything else. Beeline had the same behavior.

We did a grant for the group to which the user who was attempting the Hive actions and then that problem went away.

All queries were working and Hue is querying Hive/Impala and returning results!

hue-impala-charts

 

As usual feel free to comment and send feedback on the hue-user list or @gethue!

11 Comments

  1. Zeeshan 3 years ago

    Hi,

    Can you kindly explain if the parameter are to be filled in with actual username ? and which username if yes.
    In addition, should the text be:
    ldap_username=
    ldap_password=
    be added the way it is or a username and password should be included.

    Regards,
    Zeeshan

    • Hue Team 3 years ago

      e.g.
      [desktop]
      ldap_username=bob
      ldap_password=my_password

  2. Zeeshan 3 years ago

    There are many users who login to Hue on our cluster. which user’s credentials should be entered here ?

    • Hue Team 3 years ago

      Here only the Hue credentials, then Hue will impersonate the logged-in user, it will send ‘bob’ to Hive or Impala when ‘bob’ sends a query

  3. Zeeshan 3 years ago

    Hi, maybe this is a basic question, but can you tell me how to find out the password for the user Hue ? or do I have to create a new user account on LDAP which is called Hue ? Thanks.

    • Hue Team 3 years ago

      Yes, you need to specify the username/credentials of an existing LDAP user and specify them in the [desktop] section above.

  4. Sandeep Keni 2 years ago

    Hi,
    I have configured Hue and impala with Sentry ( along with LDAP).
    As long as Sentry is disabled everything works fine with above configuration but after I enable sentry and write some rules to always impersonate ldap_username and I don’t see sentry rules working.

    Can you please let me know

Leave a reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.