Support Questions

Find answers, ask questions, and share your expertise

[HUE CDH 6.0] All users login in as superusers and LDAP filters not working.


Hello my dear gods of the Big Data!


I'm having the following problems:


Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?


Problem #2 - LDAP configuration. Hue isn't using my filters!?


LDAP Configuration:


Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini



Authentication Backend (LdapBackend ldap_url) - ldap://stuff1.stuff2.stuff3:389

LDAP Username Pattern (ldap_username_pattern) - empty

Use Search Bind Authentication (search_bind_authentication) - True

Create LDAP users on login (create_users_on_login) - True

LDAP Search Base (base_dn) - dc=stuff1,dc=stuff2,dc=stuff3
LDAP Bind User Distinguished Name (bind_dn) - CN=user,OU=stuff4,DC=stuff1,DC=stuff2,DC=stuff3
LDAP Bind Password (bind_password) - •••••••••••••••••••••
LDAP User Filter (user_filter) - empty
LDAP Username Attribute (user_name_attr) - sAMAccountName
LDAP Group Filter (group_filter) - (&(objectClass=group)(cn=GBGDATA*))
LDAP Group Name Attribute (group_name_attr) - cn
LDAP Group Membership Attribute (group_member_attr) - member
The idea behind this configuration is to filter all accesses to users that belong to all groups which start with "GBGDATA". 

In access.log, debug shows this:
[26/Oct/2018 14:57:52 +0100] DEBUG search_s('dc=stuff1,dc=stuff2,dc=stuff3', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=myuser,ou=stuff5,dc=stuff1,dc=stuff2,dc=stuff3
[26/Oct/2018 14:57:52 +0100] DEBUG Populating Django user myuser
[26/Oct/2018 14:57:53 +0100] WARNING myuser - "POST /hue/accounts/login HTTP/1.1"-- Successful login for user: myuser
Why in the hell HUE is using:

Instead of what I've set above???


Thanks everyone!



We manage to find a... sort of... solution... I think... at least... it seems to be working.



LDAP User Filter (user_filter) from empty to 

(|(memberOf=CN=GBGDATA1,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3) (memberOf=CN=GBGDATA2,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3)(memberOf=CN=GBGDATA3,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3))

LDAP Group Filter (group_filter) from (&(objectClass=group)(cn=GBGDATA*)) to (objectClass=group)
Is there anyway of doing this but with a wildcard *? Like GBGDATA*?
If we need to put more groups... this is going to become a huge pain in the a...




Did you find an answer to "Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?"


We are facing the same issue now 

Super Guru

Hi @Timothy,


The issue with superusers is a bug resolved in this upstream Jira:


There is no CDH release with the fix at this time but it is slated for CDH 6.1.1 (targeted for release in February)

If you need the fix sooner, you could try applying the changes to your code based on the upstream fix.


@JoaoBarreto   Based on our research it looks like the fix for all users being super users is in the but hasn't been merged to master.I see a lot of bugs in the newer versions. We have got several issues with the new hue version which we didnt have before. For example tls doesn't seem to work anymore and it has to be LDAPS.Our EMR is due for upgrades and all these issues are delaying the progress.