Reply
Explorer
Posts: 7
Registered: ‎11-21-2016
Accepted Solution

Hue 3.11 user access control on S3 storage

We have HUE 3.11 running with HDFS 2.7.3 version. We are working on, how to control HUE user access to S3 storage buckets and folders. Currently all user can see all s3 storage buckets and its folders. Please suggest solution on how we can limit access to S3 storage based on user roles.

Technologies, we are using are:

  • AWS Active Directory
  • HDFS 2.7.3 version without kerberization
  • HUE 3.11 version cunning on separate node from Hadoop cluster

 

Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Hue 3.11 user access control on S3 storage

@vsreddy

 

You may need to follow the ACL conept, pls refer the below link, it has very high level information about security

 

https://community.cloudera.com/t5/Security-Apache-Sentry/Hadoop-Security-for-beginners/m-p/48576#M17...

 

Thanks

Kumar

Cloudera Employee
Posts: 702
Registered: ‎07-30-2013

Re: Hue 3.11 user access control on S3 storage

Hue is currently using Boto API which is not relying on Hadoop for now (and
bypassing Sentry). So each user you grant access to S3 will have the
permissions of the S3 credentials.

This is why S3 access currently requires to be a Hue admin or have the S3
permission.

In the medium/long term, HttpFs will support S3 and Hue will switch to it.

Current S3 integration in Hue is more focus on transient / single user
cluster in the Cloud (to get S3 autocomplete / drag&drop to upload a file
or export results to S3). With HttpFs S3, it will work well for muli user
as Sentry permission will be enforced on top of the S3 credentials.
Explorer
Posts: 7
Registered: ‎11-21-2016

Re: Hue 3.11 user access control on S3 storage

[ Edited ]

The link you have provided is talking about Hadoop ACLs.

https://community.cloudera.com/t5/Security-Apache-Sentry/Hadoop-Security-for-beginners/m-p/48576#M17...

 

 

Issue here is how I can control access to S3 buckets and objects based on HUE (3.11) login credentials. I mean when I login to HUE with my credentials, I should see S3 object only  i have  Privilieges (Read, write,Delete). Appreciate any thoughts to resolve this issue.

 

Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Hue 3.11 user access control on S3 storage

@vsreddy

 

For object based security you have to implement Sentry

 

1. Install Kerberos (Pre-request: for Sentry)
2. Enabling Kerberos Authentication for Hadoop (Pre-request: Kerberos Installation is different from enable Kerberos to Hadoop)
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html

3. Add Sentry Service in cluster
4. Enable Sentry service for Hive & Impala.
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html
5. Create necessary groups, users in OS and match the same with Hue. You can try this manually for few users/group for testing purpose...

Ex: For Role creation 

https://community.cloudera.com/t5/Security-Apache-Sentry/How-to-create-the-following-user-roles/m-p/...

 

Cloudera Employee
Posts: 702
Registered: ‎07-30-2013

Re: Hue 3.11 user access control on S3 storage

In current implementation of S3 Browser in Hue, there is no impersonation,
so everybody has the credentials of the S3 keys given to Hue.

This is why the feature is only for Hue Admin or requires a special Hue
permissions.

In the future, a proper impersonation will be provided, but this is not
provided by S3 yet.
New Contributor
Posts: 3
Registered: ‎03-07-2016

Re: Hue 3.11 user access control on S3 storage

Hi Romain - I assume impersonation was not added in CDH5.11 (did not see it in release notes) - any rough timeline for adding this? Thanks!
Cloudera Employee
Posts: 702
Registered: ‎07-30-2013

Re: Hue 3.11 user access control on S3 storage

No it wasn't, as there is no system yet to handle multiple keys and it
should not be Hue's handling all the user keys.
Announcements