Hue Authentication
This page describes properties in the Hue configuration file, hue.ini, that support authentication and Hue security in general.
Continue reading:
For information on configuring Hue with Kerberos encrypting session communication, and enabling single sign-on with SAML, see:
Enabling LDAP Authentication with HiveServer2 and Impala
LDAP authentication with HiveServer2 and Impala can be enabled by setting the following properties under their respective sections in hue.ini, [beeswax] and [impala].
| auth_username | LDAP username of Hue user to be authenticated. |
| auth_password |
LDAP password of Hue user to be authenticated. |
These login details are only used by Impala and Hive to authenticate to LDAP. The Impala and Hive services trust Hue to have already validated the user being impersonated, rather than simply passing on the credentials.
Securing Sessions
When a session expires, the screen blurs and the user is automatically logged out of the Hue Web UI. Logging on returns the user to same location.
Session Timeout
User sessions are controlled with the ttl (time-to-live) property under [desktop]> [[session]] in hue.ini. After n seconds, the session expires whether active or not.
| ttl |
The cookie with the users session ID expires after n seconds. Default: ttl=1209600 which is 60*60*24*14 seconds or 2 weeks |
Idle Session Timeout
Idle sessions are controlled with the idle_session_timeout property under [desktop] > [[auth]] in hue.ini. Sessions that are idle for n seconds, expire. You can disable this property by setting it to a negative value.
| idle_session_timeout |
User session IDs expire after idle for n seconds. A negative value means idle sessions do not expire. idle_session_timeout=900 means that sessions expire after being idle for 15 minutes idle_session_timeout=-1 means that idle sessions do not expire (until ttl) |
Secure Login
Login properties are set in hue.ini under [desktop] > [[auth]]. They are based on django-axes 1.5.0.
| change_default_password | If true, users must change password on first login.
Must enable backend=desktop.auth.backend.AllowFirstUserDjangoBackend |
| expires_after | User accounts are disabled n seconds after logout. If negative, user sessions never expire. |
| expire_superusers | Apply expires_after to superusers. |
| login_cooloff_time | Failed logins are forgotten after n seconds. |
| login_failure_limit | Number of login attempts allowed before a record is created for failed logins. |
| login_lock_out_at_failure | If true, lock out IP after exceeding login_failure_limit.
If login_lock_out_by_combination_user_and_ip=true, lock out IP and user. If login_lock_out_use_user_agent=true, also lock out user agent. |
| login_lock_out_by_combination_user_and_ip | If true, lock out IP and user. |
| login_lock_out_use_user_agent | If true, lock out user agent (such as a browser). |
Secure Cookies
Secure session cookies can be enabled by specifying the secure configuration property under the [desktop]> [[session]] section in hue.ini. Additionally, you can set the http_only flag for cookies containing users' session IDs.
| secure |
The cookie with the user session ID is secure. Should only be enabled with HTTPS. Default: false |
| http_only |
The cookie with the user session ID uses the HTTP only flag. Default: true If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through a client side script. |
| expire_at_browser_close |
Use session-length cookies. Logs out the user when the browser window is closed. Default: false |
Allowed HTTP Methods
You can specify the HTTP request methods that the server should respond to using the http_allowed_methods property under the [desktop] section in hue.ini.
| http_allowed_methods |
Default: options,get,head,post,put,delete,connect |
Restricting the Cipher List
Cipher list support with HTTPS can be restricted by specifying the ssl_cipher_list configuration property under the [desktop] section in hue.ini.
| ssl_cipher_list |
Default: !aNULL:!eNULL:!LOW:!EXPORT:!SSLv2 |
URL Redirect Whitelist
Restrict the domains or pages to which Hue can redirect users. The redirect_whitelist property can be found under the [desktop] section in hue.ini.
| redirect_whitelist | For example, to restrict users to your local domain and FQDN, the following value can be used: ^\/.*$,^http:\/\/www.mydomain.com\/.*$ |
Oozie Permissions
| Groups Property in UI | Description |
|---|---|
| oozie.dashboard_jobs_access | Enable Oozie Dashboard read-only access for all jobs.
Default: true |
| oozie.disable_editor_access | Disable Oozie Editor access.
Default: false |