The User Admin application lets a superuser add, delete, and manage Hue users and groups, and configure group permissions. Superusers can add users and groups individually, or import them from an LDAP directory. Group permissions define the Hue applications visible to group members when they log into Hue and the application features available to them.
Click the Hue Administration icon in the top right navigation bar under your username.
LDAP or PAM pass-through authentication with Hive or Impala and Impersonation .
The User Admin application provides two levels of user privileges: superusers and users.
Superusers — The first user who logs into Hue after its initial installation becomes the first superuser. Superusers have permissions to perform administrative functions:
Users can change their name, e-mail address, and password and log in to Hue and run Hue applications, subject to the permissions provided by the Hue groups to which they belong.
Note:
Importing users from an LDAP directory does not import any password information. You must add passwords manually in order for a user to log in.
To add a user from an external LDAP directory:
Click Add/sync user.
If the user already exists in the User Admin, the user information in User Admin is synced with what is currently in the LDAP directory.
You can sync the Hue user database with the current state of the LDAP directory using the Sync LDAP users/groups function. This updates the user and group information for the already imported users and groups. It does not import any new users or groups.
Programmatically
When a Hue administrator loses their password, a more programmatic approach is required to secure the administrator again. Hue comes with a wrapper around the python interpreter called the “shell” command. It loads all the libraries required to work with Hue at a programmatic level. To start the Hue shell, type the following command from the Hue installation root.
If using CM:
export HUE_CONF_DIR="/var/run/cloudera-scm-agent/process/`ls -alrt /var/run/cloudera-scm-agent/process | grep HUE | tail -1 | awk '{print $9}'`"
Then:
cd /usr/lib/hue (or /opt/cloudera/parcels/CDH-XXXXX/share/hue if using parcels and CM)
build/env/bin/hue shell
The following is a small script, that can be executed within the Hue shell, to change the password for a user named “example”:
from django.contrib.auth.models import User
user = User.objects.get(username='example')
user.set_password('some password')
user.save()
The script can also be invoked in the shell by using input redirection (assuming the script is in a file named script.py):
build/env/bin/hue shell < script.py
Via a command
Go on the Hue machine, then in the Hue home directory and either type:
To change the password of the currently logged in Unix user:
build/env/bin/hue changepassword
Programmatically
How to make a certain user a Hue admin
build/env/bin/hue shell
Then set these properties to true:
from django.contrib.auth.models import User
a = User.objects.get(username='hdfs')
a.is_staff = True
a.is_superuser = True
a.set_password('my_secret')
a.save()
Via a command
If you don't remember the admin username, create a new Hue admin (you will then also be able to login and could change the password of another user in Hue):
build/env/bin/hue createsuperuser
Superusers can add and delete groups, configure group permissions, and assign users to group memberships.
You can add groups, and delete the groups you've added. You can also import groups from an LDAP directory.
[desktop]
[[ldap]]
login_groups=ldap_grp1,ldap_grp2,ldap_grp3
Permissions for Hue applications are granted to groups, with users gaining permissions based on their group membership. Group permissions define the Hue applications visible to group members when they log into Hue and the application features available to them.
A company would like to use the following LDAP users and groups in Hue:
John Smith belonging to team A Helen Taylor belonging to team B
Assuming the following access requirements:
Team A should be able to use Beeswax, but nothing else. Team B should only be able to see the Oozie dashboard with readonly permissions.
In Hue 2 the scenarios can be addressed more appropriately. Users can be imported from LDAP by clicking “Add/Sync LDAP user” in Useradmin > Users:
Similarly, groups can be imported from LDAP by clicking “Add/Sync LDAP group” in Useradmin > Groups.
If a previously imported user’s information was updated recently, the information in Hue will need to be resynchronized. This can be achieved through the LDAP sync feature:
Part A of the example can be addressed by explicitly allowing access Beeswax for Team A. This is managed in the “Groups” tab of the Useradmin app:
The Team A group can be edited by clicking on its name, where access privileges for the group are selectable. Here, the “beeswax.access” permission would be selected and the others would be unselected:
Part B of the example can be handled by explicitly defining access for Team B. This can be accomplished by following the same steps in part A, except for Team B. Every permission would be unselected except “oozie.dashboard_jobs_access”:
By explicitly setting the app level permissions, the apps that these users will be able to see will change. For instance, Helen, who is a member of Team B, will only see the Oozie app available:
Set permissions to a group via a Bash shell:
#!/bin/env bash
set -eu
host="localhost"
port="8888"
credentials="/home/hadoop/hue-config/hue_access_admin.txt" # password file
user="admin"
protocol="http"
group_name="spark02-user"
permissions_id1="10" # jobbrowser.access
permissions_id2="18" # spark.access
list_of_users="members=10&members=9&members=4" # number here is an order number for a user in the list of users
password=$(cat /home/hadoop/hue-config/hue_access_admin.txt | sed -n 's/admin:(.*)/\1/p')
curl ${protocol}://${host}:${port}/hue/accounts/login/?fromModal=true -o /dev/null -D - -c cookies.txt -s
x_csrftoken=$(grep csrftoken cookies.txt | cut -f 7)
curl -i -X POST ${protocol}://${host}:${port}/hue/accounts/login/?fromModal=true -d "username=${user}&password=${password}" -o /dev/null -D - -c cookies.txt -b cookies.txt -H "X-CSRFToken: ${x_csrftoken}" -s
x_csrftoken=$(grep csrftoken cookies.txt | cut -f 7)
curl -X POST ${protocol}://${host}:${port}/useradmin/groups/edit/${group_name}
-d "csrfmiddlewaretoken=${x_csrftoken}&name=${group_name}&permissions=${permissions_id1}&permissions=${permissions_id2}&${list_of_users}&is_embeddable=true",
-b cookies.txt -H "X-CSRFToken: ${x_csrftoken}"