How to Configure Hue to authenticate with Apache Knox SSO on a Secure Cluster

Published on 05 May 2020 in Version 4 - 2 minutes read - Last modified on 06 March 2021 - Read in jp

Hello, Hue administrators,

The Apache Knox™ Gateway is an Application Gateway for interacting with the REST APIs and UIs of Apache Hadoop deployments.

Hue supports KnoxSpnegoDjango since Hue4.6, we can turn on Hue’s KnoxSpnegoDjango auth by updating Hue configurations through CM UI or hue.ini.

On any cluster with Knox service installed, update hue.ini as following and restart Hue:

[desktop]
[[auth]]
backend=desktop.auth.backend.KnoxSpnegoDjangoBackend
[[knox]]
knox_principal=knox
knox_proxyhosts=weixia-1.domain.site,weixia-2.domain.site

Or on any CM managed cluster, Hue can be configured with KnoxSpnegoDjango backend through CM UI: hue-auth-knoxspnego.png

Fill knox_proxyhosts field with accurate knox proxy hostname, you can get the hosts by navigating to Clusters->KNOX, and click on ‘Instances’ tab: knox-ha-hosts.png For Knox HA cluster, you can fill in all the hosts by clicking on “+” icon: configure-hue-with-knox-ha.png

Click ‘Save Changes’, you will see a warning about role missing kerberos keytab. Click on “Administration”–>”Security” as shown below: role-missing-kerberos-keytab.png generate-missing-credentials.png Then navigate back to Clusters->HUE-1, click on the “stale configuration: Restart” icon beside the “Actions” button, stale-configuration-restart.png follow the wizard to choose “Restart staled services”, select “Re-deploy client configuration” and click on “Restart Now”, wait till it finishes.

Navigate to Hue’s Web UI dropdown and select “Knox Gateway UI” to load Knox UI: knox-gateway-ui.png Then click on “+” icon of “+cdp-proxy” to expand: knox-gateway-ui-cdp-proxy.png

Now click on the Hue icon: knox-proxy-login-hue-icon.png

You should be able to log in to hue page:

hue-page.png

Troubleshooting

  1. If you hit error like “The username or password you entered is incorrect.”

incorrect-user-or-password.png

Check on your knox proxy hosts that user or password is correct.

ssh [email protected]
useradd weixia
passwd weixia
  1. If you hit 403 error:

hue-login-403.png

Log in to your ranger service and ensure your user or group say ‘public’ has proper permissions.

ranger-cm-knox-policies.png

Any feedback or questions? Feel free to comment here or on the Forum or @gethue and quick start SQL querying!

Weixia Xu from the Hue Team


comments powered by Disqus

More recent stories

26 June 2024
Integrating Trino Editor in Hue: Supporting Data Mesh and SQL Federation
Read More
03 May 2023
Discover the power of Apache Ozone using the Hue File Browser
Read More