How to Configure Hue to authenticate with Apache Knox SSO on a Secure Cluster

Published on 05 May 2020 in Administration / Version 4.8 - 2 minutes read - Last modified on 12 May 2020 - Read in jp

Hello, Hue administrators,

The Apache Knox™ Gateway is an Application Gateway for interacting with the REST APIs and UIs of Apache Hadoop deployments.

Hue supports KnoxSpnegoDjango since Hue4.6, we can turn on Hue’s KnoxSpnegoDjango auth by updating Hue configurations through CM UI or hue.ini.

On any cluster with Knox service installed, update hue.ini as following and restart Hue:

[desktop]
[[auth]]
backend=desktop.auth.backend.KnoxSpnegoDjangoBackend
[[knox]]
knox_principal=knox
knox_proxyhosts=weixia-1.domain.site,weixia-2.domain.site

Or on any CM managed cluster, Hue can be configured with KnoxSpnegoDjango backend through CM UI: hue-auth-knoxspnego.png

Fill knox_proxyhosts field with accurate knox proxy hostname, you can get the hosts by navigating to Clusters->KNOX, and click on ‘Instances’ tab: knox-ha-hosts.png For Knox HA cluster, you can fill in all the hosts by clicking on “+” icon: configure-hue-with-knox-ha.png

Click ‘Save Changes’, you will see a warning about role missing kerberos keytab. Click on “Administration”–>”Security” as shown below: role-missing-kerberos-keytab.png generate-missing-credentials.png Then navigate back to Clusters->HUE-1, click on the “stale configuration: Restart” icon beside the “Actions” button, stale-configuration-restart.png follow the wizard to choose “Restart staled services”, select “Re-deploy client configuration” and click on “Restart Now”, wait till it finishes.

Navigate to Hue’s Web UI dropdown and select “Knox Gateway UI” to load Knox UI: knox-gateway-ui.png Then click on “+” icon of “+cdp-proxy” to expand: knox-gateway-ui-cdp-proxy.png

Now click on the Hue icon: knox-proxy-login-hue-icon.png

You should be able to log in to hue page:

hue-page.png

Troubleshooting

  1. If you hit error like “The username or password you entered is incorrect.”

incorrect-user-or-password.png

Check on your knox proxy hosts that user or password is correct.

ssh [email protected]
useradd weixia
passwd weixia
  1. If you hit 403 error:

hue-login-403.png

Log in to your ranger service and ensure your user or group say ‘public’ has proper permissions.

ranger-cm-knox-policies.png

Any feedback or questions? Feel free to comment here or on the Forum or @gethue and quick start SQL querying!

Weixia Xu from the Hue Team


comments powered by Disqus

More recent stories

19 May 2020
How to grant Ranger permissions for a new user on a Secure Cluster
Read More
06 May 2020
SQL Editor for Apache Flink SQL
Read More
05 May 2020
How to Configure Hue to authenticate with Apache Knox SSO on a Secure Cluster
Read More