Reply
New Contributor
Posts: 5
Registered: ‎11-07-2018

Urgent:HUE LDAP Super User Issue


We recently were trying to integrate HUE on our EMR by authenticating via LDAP authentication. Based on the documentation on HUE the first user that logins will become the superuser.Our end goal is to make members of a Active Directory group super users.Having any first user being the super user makes the emr vulnerable and can give superuser access to people who shouldnt have super user access.How can we add a filter in hue.ini file or any file that will give superuser access to only members of a active directory group.

Posts: 938
Topics: 1
Kudos: 218
Solutions: 117
Registered: ‎04-22-2014

Re: Urgent:HUE LDAP Super User Issue

@Timothy,

 

I believe the feature you are seeking has been introduced to the codebase only in the last few months:

 

https://issues.cloudera.org/browse/HUE-7407

 

This fix is likely to make it into CDH 6.1 but I don't think there are plans to add it to 5.15.x.

New Contributor
Posts: 5
Registered: ‎11-07-2018

Re: Urgent:HUE LDAP Super User Issue

[ Edited ]

Thank you for your response. So what would be best option to solve this issue.When we rehydrate our EMR the Superuser is no longer in the system. Currently I login before anyone logins to avoid giving access to people who shouldnt have access.Also what do we need to do to get  the 6.1 update when it is up.

Curently 

             user_filter=(|(memberof=CN=admingroup,OU=ouname,DC=stuff,DC=stuff1,DC=stuff2,DC=stuff3)                                               (memberof=CN=nonadmingroup,OU=ouname,DC=stuff,DC=stuff1,DC=stuff2,DC=stuff3)),
             user_name_attr=cn

             NO FILTERS IN GROUP

This will only give access to people in those AD groups.I want the admingroup get superuser access.

 

 

Posts: 938
Topics: 1
Kudos: 218
Solutions: 117
Registered: ‎04-22-2014

Re: Urgent:HUE LDAP Super User Issue

@Timothy,

 

I'm not sure what "rehydrate our EMR the Superuser is no longer in the system." means.  Are you deleting your Hue database users from Hue itself? 

 

The is_superuser flag is associated with your user Hue user in the Hue database.  Once there is an LDAP-authenticated user that is a superuser, no other users will be able to become superuser without you granting that access explicitly.

 

If you want to clean out the Hue users from the Hue database and start over while protecting a random user from getting superuser access as the first user to log in, you could temporarily configure the search filter to only return your user.  Once you have logged into Hue, change the filter back to what you want and start over.

 

Please visit the Cloudera upgrade documentation to review what is required for upgrading when the time comes.  It is a big upgrade and can require some manual processes especially if you use Solr.

 

It will be available for download when it is released to the public

 

 

New Contributor
Posts: 5
Registered: ‎11-07-2018

Re: Urgent:HUE LDAP Super User Issue

[ Edited ]

@bgooley

 

Regarding "Rehydrate our EMR the Superuser is no longer in the system

 

We launch our EMR on AWS via CLoud Formation Template(CFT).Hue is enabled on our EMR.We delete our CFT every two months or so which tears down our EMR which has HUE enabled and rehydrate a new EMR with HUE enabled.Whatever user data we had in the old EMR is deleted now.This causes the problem where the first user who logins become the superuser.We where wondering if we can add a filter  like the user_filter or another work around to avoid this situation.

 

Master
Posts: 326
Registered: ‎07-01-2015

Re: Urgent:HUE LDAP Super User Issue

Maybe off topic: but even with LDAP how do you want to implement security? (PErmissions on tables, databases). I suspect your EMR is not using Kerberos right?
New Contributor
Posts: 5
Registered: ‎11-07-2018

Re: Urgent:HUE LDAP Super User Issue

[ Edited ]

@Tomas79

 

When you say security I am guessing regarding the login's. We currently are securing the authentication by limiting the users to only certain AD groups in the user_filter section in hue.ini.

 

The issue we are having is with first user that logins after the EMR is launched is being given superuser status.I want the super user status to be given to only members of a certain admin AD group.

Announcements