Enable Hue to Use Kerberos for Authentication
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
For Hue to work properly with a Cloudera cluster that uses Kerberos for authentication, the Kerberos Ticket Renewer must be added to the Hue service. Use the Cloudera Manager Admin Console to add the Kerberos Ticket Renewer role to each host with a Hue Server role instance.
The Hue Kerberos Ticket Renewer renews only those tickets created for the Hue service principal, hue/hostname@REALM-NAME. The Hue principal impersonates other users for applications within Hue such as the Job Browser, File Browser and so on. Other services, such as HDFS and MapReduce, do not use the Hue Kerberos Ticket Renewer but rather handle ticket renewal as needed using their own mechanisms.
- Go to the Hue service.
- Click the Instances tab.
- Click the Add Role Instances button.
- Assign the Kerberos Ticket Renewer role instance to the same host as the Hue server.
When the wizard status is Finished, the Kerberos Ticket Renewer role instance is configured. The Hue service now works with the secure Hadoop cluster.
- Repeat these steps for each Hue Server role.
Troubleshooting the Kerberos Ticket Renewer:
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM