Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
Authentication for access to the HDFS, MapReduce, and YARN roles' web consoles can be enabled using a configuration option for the appropriate service. To enable this authentication:
- From the Clusters tab, select the service (HDFS, MapReduce, or YARN) for which you want to enable authentication.
- Click the Configuration tab.
- Select .
- Select .
- Type Enable Kerberos in the Search box.
- Select Enable Kerberos Authentication for HTTP Web-Consoles.
- Enter a Reason for change, and then click Save Changes to commit the changes.
- When the command finishes, restart all roles of that service.
Enabling SPNEGO as an Authentication Backend for Hue
- In Cloudera Manager, set the authentication backend to SpnegoDjangoBackend.
- Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Authentication Backend property and select desktop.auth.backend.SpnegoDjangoBackend.
- Click Save Changes.
- Restart the Hue service.
- If you are using an external load balancer, perform the following steps, otherwise skip the remaining steps. Cloudera Manager creates these configuration automatically:
- On the host running the Hue Kerberos Ticket Renewer, switch to the KT_RENEWER process directory. For example:
cd /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/ \ | awk '{print $9}' |grep KT_RENEWER| tail -1`/
- Verify that the Hue keytab includes the HTTP principal.
klist -kte ./hue.keytab Keytab name: FILE:./hue.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 03/09/15 20:20:35 hue/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96) 1 03/09/15 20:20:36 HTTP/host-10-16-8-168.openstacklocal@EXAMPLE.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
- Copy the hue.keytab file to /var/lib/hue and change ownership to the hue user and group.
$ cp ./hue.keytab /var/lib/hue/ $ chown hue:hue /var/lib/hue/hue.keytab
- Go to the Cloudera Manager Admin Console. From the Clusters tab, select the Hue service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Hue Service Environment Advanced Configuration Snippet (Safety Valve) property and add the following line:
KRB5_KTNAME=/var/lib/hue/hue.keytab
- Enter a Reason for change, and then click Save Changes to commit the changes.
- Restart the Hue service.
- On the host running the Hue Kerberos Ticket Renewer, switch to the KT_RENEWER process directory. For example: