Hue has seen a slew of security improvements recently (from Hue 3.5). The most important ones have been enabling encryption when communicating with other services:
In addition, several other security options have been added:
- Session timeout is now configurable (HUE-1528)
- Cookies can be secure (HUE-1529)
- HTTP only in session cookie if supported (HUE-1639)
- Allowed HTTP methods can be defined in the hue.ini
- Cipher list can be restricted when using SSL
Secure Database Connection
Connections vary depending on the database. Hue uses different clients to communicate with each database internally. They all specify a common interface known as the DBAPI version 2 interface. Client specific options, such as secure connectivity, can be passed through the interface. For example (MySQL):
[desktop]
[[databases]]
…
options={"ssl":{"ca":"/tmp/ca-cert.pem"}}
HiveServer2 over SSL
By providing a CA certificate, private key, and public certificate, Hue can communicate with HiveServer2 over SSL. This is configurable in the hue.ini. For example:
[beeswax] [[ssl]] enabled=true cacerts=/etc/hue/cacerts.pem key=/etc/hue/key.pem cert=/etc/hue/key.pemkey=/etc/hue/publiccert.pem
HiveServer2 over Kerberos with LDAP authentication
HiveServer2 supports LDAP authentication with a client connecting under a Thrift connection with security. This means Hue can provide a LDAP password that will be used by HiveServer2 to authenticate Hue. The username is defaulting to ‘hue’ or the username of the Hue Kerberos ticket. This is configurable in the hue.ini. For example:
[desktop] ldap_password=MY_HUE_USER_LDAP_PASSWORD
Session Timeout
The session timeout can be set in the hue.ini at desktop->session->ttl. Example:
[desktop] [[session]] ttl=3600
Secure Cookies
Secure session cookies can be enabled in the hue.ini at desktop->session->secure. Example:
[desktop] [[session]] secure=true
The HTTPonly flag can be set via the hue.ini at desktop->session->http_only. Example:
[desktop] [[session]] http_only=true
Allowed HTTP Methods
Which HTTP request methods the server should respond to can be controlled via desktop->http_allowed_methods in the hue.ini. For example:
[desktop] http_allowed_methods=options,get,head,post,put,delete,connect
Restricting the Cipher List
Cipher list support with HTTPS can be restricted via desktop->ssl_cipher_list in the hue.ini. The value is in cipher list format. For example:
[desktop] ssl_cipher_list=DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2
URL redirect whitelist
Restrict to which domains or pages Hue can redirect the users.
[desktop] redirect_whitelist=^http://www.mydomain.com/.*$
The Hue team is working hard improving security. We hope these recent improvements make your system more secure and more compliant with security standards. As always, feel free to contact us at hue-user or @gethue.