https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80139#M83651 Regarding the 1st point, are you using Sentry? I am quite sure, that in correct configuration the HDFS is not browsable from Hue if the owner/group does not match.<BR />Or.. maybe you have ACLs enabled on HDFS, and on this directory from the print screen there are more permissions. If you have acls enabled, then check it by hdfs dfs -getfacl &lt;path&gt; Thu, 20 Sep 2018 19:10:10 GMT Tomas79 2018-09-20T19:10:10Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80025#M83650 <P>Hello,</P><P>&nbsp;</P><P>I ask here for an advice on<SPAN>&nbsp;</SPAN>hue configuration.</P><P>We are developing a KDC security-enabled cluster with multiple users belonging to various groups.</P><P>Currently<SPAN>&nbsp;</SPAN>we rely heavily on Hue and Oozie workflows that are designed from Hue.</P><P>Users create their&nbsp;workflows under their user in Hue.&nbsp;Workflows of a particular user are not accessible to others from the list of workflows, unless explicitly shared, which is fine.&nbsp;</P><P>&nbsp;</P><P>However there are problems we'd like to solve:</P><P>&nbsp;</P><P>1.&nbsp;Other&nbsp;users still can access workspaces of those workflows&nbsp;via<SPAN>&nbsp;</SPAN>HDFS, either with Hue's "File browser" or directly via&nbsp;hdfs command. Particulary from Hue, seems that anyone can access workspace directory and even open its files, even if&nbsp;I explicitly change the dir and files permission to 600. (See screenshot attached)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hue-permissions.png" style="width: 600px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/4832iCD3A4B7AC4E5B0D1/image-size/large?v=v2&amp;px=999" role="button" title="hue-permissions.png" alt="hue-permissions.png" /></span></P><P>&nbsp;</P><P>2. The properties of the launched workflows can be seen by&nbsp;other users in the "Configuration" tab, regardless of their&nbsp;permissions on the workflow. Can those values be hidden somehow?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hue-configuration-permissions.png" style="width: 600px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/4833iE473701B8DC3DC91/image-size/large?v=v2&amp;px=999" role="button" title="hue-configuration-permissions.png" alt="hue-configuration-permissions.png" /></span></P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P> Tue, 21 Apr 2026 13:43:51 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80025#M83650 elkarel 2026-04-21T13:43:51Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80139#M83651 Regarding the 1st point, are you using Sentry? I am quite sure, that in correct configuration the HDFS is not browsable from Hue if the owner/group does not match.<BR />Or.. maybe you have ACLs enabled on HDFS, and on this directory from the print screen there are more permissions. If you have acls enabled, then check it by hdfs dfs -getfacl &lt;path&gt; Thu, 20 Sep 2018 19:10:10 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80139#M83651 Tomas79 2018-09-20T19:10:10Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80379#M83652 <P>Hi Thomas,</P><P>&nbsp;</P><P>Thank you for your response. We are not using Sentry.</P><P>The output of getfacl is:</P><P>&nbsp;</P><P><FONT face="courier new,courier" size="2">hdfs dfs -getfacl /user/hue/oozie/workspaces/hue-oozie-1538051691.26</FONT><BR /><FONT face="courier new,courier" size="2"># file: /user/hue/oozie/workspaces/hue-oozie-1538051691.26</FONT><BR /><FONT face="courier new,courier" size="2"># owner: SVC_CTOS_SENTILO</FONT><BR /><FONT face="courier new,courier" size="2"># group: hue</FONT><BR /><FONT face="courier new,courier" size="2">getfacl: The ACL operation has been rejected. Support for ACLs has been disabled by setting dfs.namenode.acls.enabled to false.</FONT></P><P>&nbsp;</P><P>Incidently, I am even&nbsp;able to edit the file that is at 0600, being owned&nbsp;by another user.</P><P>I also created a 0600 folder and inside a 0600 file. Same behaviour.</P><P>Both users are in hadoop and hue group, but that shouldn't be a problem, since as far as I understand it, 0600 means only the owner of the file should be able to read an write, and nobody else.</P><P>The owner of the file is SVC_CTOS_SENTILO, from Hue as well from hdfs dfs CLI command.</P><P>&nbsp;</P><P>Thank you,</P><P>Best Regards</P> Thu, 27 Sep 2018 13:11:57 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80379#M83652 elkarel 2018-09-27T13:11:57Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80411#M83653 <P>All solved, it was a misconfiguration of HDFS.</P><P>The property&nbsp;dfs.permissions was set to false (!).</P><P>&nbsp;</P><P>Thanks!</P> Fri, 28 Sep 2018 07:17:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hue-and-Oozie-security-users-can-access-resources-they/m-p/80411#M83653 elkarel 2018-09-28T07:17:34Z