Configure Hue with Multi-Authentication: LDAP & DjangoBackend and Sync LDAP user/group

Published on 14 September 2018 in Administration / Version 4 - 2 minutes read - Last modified on 04 February 2020

Aloha, Hue administrators,

Hue supports multi-authentication since Hue 3.9, we can turn on Hue’s multi-authentication by updating Hue configurations through CM UI or hue.ini.

On any CM-managed cluster, go to hue’s configuration page and search for “safety”:

http://YourCluster.com:7180/cmf/services/10/config#filterfreeText=safety</span>

Then update Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini as following:



[desktop]

[[auth]

backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend

Then configure Hue LDAP related configurations through CM UI: http://YourCluster.com:7180/cmf/services/10/config as following:

Here is a sample of the multi-authentication with ldap for /etc/hue/conf/hue.ini in case that you don’t have CM:



[desktop]

[[auth]

backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend

[[ldap]]

ldap_url=ldap://ldapserver.ad.com:389

search_bind_authentication=true

create_users_on_login=true

base_dn="ou=Test,DC=ad,DC=com"

bind_dn="[email protected]"

bind_password_script={{CMF_CONF_DIR}}/altscript.sh sec-5-bind_password

#bind_password="YourBindPassword"

[[[users]]]

user_filter="objectclass=user"

user_name_attr="sAMAccountName"

[[[groups]]]

group_filter="objectclass=group"

Save Changes, re-deploy client configuration then restart Hue.

Now you should be able to log in hue as any LDAP user or Django backend user. If you are using Hue 3.12 or newer, you will find following UI with the extra drop down for “LDAP” or “Local”.

Once you login as superuser, you will be able to sync up LDAP users/groups through “Manager Users” page: https://YourHueHost.com:8889/hue/useradmin/users.

On “Users” tab, click on “**Add/Sync LDAP user”** button…

Then fill in LDAP user name either like “test*“

Click “**Add/Sync user”** button, all users starts with “test” will be synced.

You can also sync user with LDAP distinguished name like: “**CN=atestë01,OU=huetest,OU=test,DC=ad,DC=com” with “Distinguished name” **checked.

Similarly for LDAP group,  just navigate to “Groups” tab then click “**Add/Sync LDAP group” button, then fill in following accordingly, then click “Add/Sync group”**.

You can always use ldapsearch command on your host to verify if the user/group exists on your LDAP server.



ldapsearch -LLL -H ldap://ldapserver.ad.com:389 -D [email protected] -w yourbindPassword -b "cn=testuser,ou=test,DC=ad,DC=com"

ldapsearch -LLL -H ldap://ldapserver.ad.com:389 -D [email protected] -w yourbindPassword -b "cn=testgroup,ou=test,DC=ad,DC=com"

As always feel free to comment and send feedback on the hue-user list or @gethue!


comments powered by Disqus

More recent stories

19 May 2020
How to grant Ranger permissions for a new user on a Secure Cluster
Read More
06 May 2020
SQL Editor for Apache Flink SQL
Read More
05 May 2020
How to Configure Hue to authenticate with Apache Knox SSO on a Secure Cluster
Read More