Aloha, Hue administrators,
Hue supports multi-authentication since Hue 3.9, we can turn on Hue’s multi-authentication by updating Hue configurations through CM UI or hue.ini.
On any CM-managed cluster, go to hue’s configuration page and search for “safety”:
http://YourCluster.com:7180/cmf/services/10/config#filterfreeText=safety</span>
Then update Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini as following:
[desktop]
[[auth]
backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend
Then configure Hue LDAP related configurations through CM UI: http://YourCluster.com:7180/cmf/services/10/config as following:
Here is a sample of the multi-authentication with ldap for /etc/hue/conf/hue.ini in case that you don’t have CM:
[desktop]
[[auth]
backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend
[[ldap]]
ldap_url=ldap://ldapserver.ad.com:389
search_bind_authentication=true
create_users_on_login=true
base_dn="ou=Test,DC=ad,DC=com"
bind_dn="[email protected]"
bind_password_script={{CMF_CONF_DIR}}/altscript.sh sec-5-bind_password
#bind_password="YourBindPassword"
[[[users]]]
user_filter="objectclass=user"
user_name_attr="sAMAccountName"
[[[groups]]]
group_filter="objectclass=group"
Now you should be able to log in hue as any LDAP user or Django backend user. If you are using Hue 3.12 or newer, you will find following UI with the extra drop down for “LDAP” or “Local”.
Once you login as superuser, you will be able to sync up LDAP users/groups through “Manager Users” page: https://YourHueHost.com:8889/hue/useradmin/users.
On “Users” tab, click on “**Add/Sync LDAP user”** button…
Then fill in LDAP user name either like “test*“
Click “**Add/Sync user”** button, all users starts with “test” will be synced.
You can also sync user with LDAP distinguished name like: “**CN=atestë01,OU=huetest,OU=test,DC=ad,DC=com” with “Distinguished name” **checked.
Similarly for LDAP group, just navigate to “Groups” tab then click “**Add/Sync LDAP group” button, then fill in following accordingly, then click “Add/Sync group”**.
You can always use ldapsearch command on your host to verify if the user/group exists on your LDAP server.
ldapsearch -LLL -H ldap://ldapserver.ad.com:389 -D [email protected] -w yourbindPassword -b "cn=testuser,ou=test,DC=ad,DC=com"
ldapsearch -LLL -H ldap://ldapserver.ad.com:389 -D [email protected] -w yourbindPassword -b "cn=testgroup,ou=test,DC=ad,DC=com"
As always feel free to comment and send feedback on the hue-user list or @gethue!