Cloudera Enterprise 6.3.x | Other versions

Hue User Permissions

Hue is a gateway to CDH cluster services (see Hue Applications) and both have completely separate permissions. Being a Hue superuser means nothing to HDFS, Hive, and so on.
  Important: Hue and the underlying cluster services have completely separate permissions!

Users who log on to the Hue UI must have permission to use Hue, and also, each CDH service accessible within Hue.

A common configuration is for Hue users to be authenticated with an LDAP server and CDH users with Kerberos. These users can differ. For example, CDH services do not authenticate each user who logs on to Hue. Rather, they authenticate Hue and trust that Hue has authenticated its users.

Once Hue is authenticated by a service (for example, Hive), Hue impersonates the user (doAs) requesting use of that service (for example, to create a table). The service uses Sentry (essentially a chmod tool) to ensure the group to which that user belongs is authorized for that action.

Hue user permissions are at the application level only. For example, a Hue superuser can filter Hue user access to a CDH service but cannot authorize the use of its features. Again, Sentry does that. Learn how to Authorize Hue User Groups with Sentry.

Hue Superusers

The Hue User Admin application provides two levels of privileges: users and superusers.

Users can change their name, email address, and password. They can login to Hue and run Hue applications according to their group permissions.

Superusers can perform administrative functions such as:
  • Add and delete users and groups
  • Import and sync users and groups from an LDAP server
  • Assign group permissions
  • Promote users to superusers and vice versa.

Hue superusers have no special privileges to the underlying CDH cluster services. Sentry is used to add those privileges.

  Important: The first user to log on to Hue (without LDAP authentication) becomes the first superuser.

How to Assign Superuser Status to an LDAP User

In a non-secure cluster, the first user to log on to Hue is designated a superuser. In a secure cluster with LDAP, there are three ways to assign superuser status:
  1. With the AllowAllBackend temporarily enabled, assign superuser status and Synchronize One User.
  2. With the LdapBackend enabled, run a Hue shell command to apply superuser status.
  3. Enable multiple backends so that the first user to log on still works when integrated with LDAP.

Hue Applications and Permissions

Hue is a gateway to (and web-based UI for) the following CDH cluster services.

Hue Applications

These CDH services are available in Hue. Currently, Spark is only available upstream.

Table 1. Hue Applications
Hue App Sentry App Dependencies
HBase   HBase Browser
HDFS   Core, File Browser
Hive   Metastore Tables, Hive Editor
Impala Metastore Tables, Impala Editor
MapRed / YARN   Job Browser, Job Designer, Oozie, Hive Editor, Pig, Sqoop
Oozie   Job Designer, Oozie Editor/Dashboard
Pig   Pig Editor, Oozie
Sentry   Solr Search
Solr (Search) Hadoop Security
Spark   Spark
Sqoop 2   Sqoop Transfer

Hue Permissions

Hue application permissions are composed of name.permission:action.

For example, filebrowser.access:Launch this application(3):
  • Hue application name = filebrowser
  • Permissions = access (as in, execute)
  • Action = Launch this application (the HDFS filebrowser).
  • Process ID in Hue database (3).
Table 2. Hue Application Permissions
Hue App Permission rwx Action Description
about access --x Launch this application
beeswax access --x Launch this application
dashboard access --x Launch this application
filebrowser access --x Launch this application
filebrowser s3_access --x Access to S3 from filebrowser and filepicker
help access --x Launch this application
impala access --x Launch this application
indexer access --x Launch this application
jobbrowser access --x Launch this application
jobsub access --x Launch this application
metadata access --x Launch this application
metadata write -w- Allow edition of metadata like tags
metastore access --x Launch this application
metastore write -w- Allow DDL operations. Need the app access too
notebook access --x Launch this application
oozie access --x Launch this application
oozie dashboard_jobs_access --x Oozie Dashboard read-only user for all jobs
oozie disable_editor_access --x Disable Oozie Editor access
pig access --x Launch this application
proxy access --x Launch this application
rdbms access --x Launch this application
search access --x Launch this application
security access --x Launch this application
security impersonate   Let a user impersonate another user when listing objects like files or tables
sqoop access --x Launch this application
useradmin access_view:useradmin:edit_user rwx Access to profile page on User Admin
useradmin access_view:useradmin:view_user rwx Access to any profile page on User Admin
useradmin access --x Launch this application
Page generated August 29, 2019.