Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hue 3.11 user access control on S3 storage

Labels:
avatar
author-rank vsreddy
Explorer

Created on ‎02-03-2017 11:04 AM - edited ‎09-16-2022 04:00 AM

We have HUE 3.11 running with HDFS 2.7.3 version. We are working on, how to control HUE user access to S3 storage buckets and folders. Currently all user can see all s3 storage buckets and its folders. Please suggest solution on how we can limit access to S3 storage based on user roles.

Technologies, we are using are:

  • AWS Active Directory
  • HDFS 2.7.3 version without kerberization
  • HUE 3.11 version cunning on separate node from Hadoop cluster

 

10,200 Views
0 Kudos
1
1 ACCEPTED SOLUTION

avatar
author-rank Romainr author-rank
Super Guru

Created ‎03-27-2017 08:36 AM

In current implementation of S3 Browser in Hue, there is no impersonation,
so everybody has the credentials of the S3 keys given to Hue.

This is why the feature is only for Hue Admin or requires a special Hue
permissions.

In the future, a proper impersonation will be provided, but this is not
provided by S3 yet.

View solution in original post

9,754 Views
0 Kudos
0
9 REPLIES 9

avatar
saranvisa author-rank
Champion

Created ‎02-03-2017 12:02 PM

@vsreddy

 

You may need to follow the ACL conept, pls refer the below link, it has very high level information about security

 

https://community.cloudera.com/t5/Security-Apache-Sentry/Hadoop-Security-for-beginners/m-p/48576#M17...

 

Thanks

Kumar

9,985 Views

avatar
author-rank Romainr author-rank
Super Guru

Created ‎02-06-2017 09:05 AM

Hue is currently using Boto API which is not relying on Hadoop for now (and
bypassing Sentry). So each user you grant access to S3 will have the
permissions of the S3 credentials.

This is why S3 access currently requires to be a Hue admin or have the S3
permission.

In the medium/long term, HttpFs will support S3 and Hue will switch to it.

Current S3 integration in Hue is more focus on transient / single user
cluster in the Cloud (to get S3 autocomplete / drag&drop to upload a file
or export results to S3). With HttpFs S3, it will work well for muli user
as Sentry permission will be enforced on top of the S3 credentials.
9,945 Views

avatar
author-rank vsreddy
Explorer

Created on ‎03-09-2017 12:15 PM - edited ‎03-09-2017 12:17 PM

The link you have provided is talking about Hadoop ACLs.

https://community.cloudera.com/t5/Security-Apache-Sentry/Hadoop-Security-for-beginners/m-p/48576#M17...

 

 

Issue here is how I can control access to S3 buckets and objects based on HUE (3.11) login credentials. I mean when I login to HUE with my credentials, I should see S3 object only  i have  Privilieges (Read, write,Delete). Appreciate any thoughts to resolve this issue.

 

9,845 Views
0 Kudos

avatar
saranvisa author-rank
Champion

Created ‎03-09-2017 12:31 PM

@vsreddy

 

For object based security you have to implement Sentry

 

1. Install Kerberos (Pre-request: for Sentry)
2. Enabling Kerberos Authentication for Hadoop (Pre-request: Kerberos Installation is different from enable Kerberos to Hadoop)
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html

3. Add Sentry Service in cluster
4. Enable Sentry service for Hive & Impala.
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html
5. Create necessary groups, users in OS and match the same with Hue. You can try this manually for few users/group for testing purpose...

Ex: For Role creation 

https://community.cloudera.com/t5/Security-Apache-Sentry/How-to-create-the-following-user-roles/m-p/...

 

9,839 Views

avatar
author-rank Romainr author-rank
Super Guru

Created ‎03-27-2017 08:36 AM

In current implementation of S3 Browser in Hue, there is no impersonation,
so everybody has the credentials of the S3 keys given to Hue.

This is why the feature is only for Hue Admin or requires a special Hue
permissions.

In the future, a proper impersonation will be provided, but this is not
provided by S3 yet.
9,755 Views
0 Kudos
0

avatar
author-rank superhadooper
New Contributor

Created ‎05-03-2017 01:18 AM

Hi Romain - I assume impersonation was not added in CDH5.11 (did not see it in release notes) - any rough timeline for adding this? Thanks!
9,482 Views
0 Kudos

avatar
author-rank Romainr author-rank
Super Guru

Created ‎05-03-2017 06:16 AM

No it wasn't, as there is no system yet to handle multiple keys and it
should not be Hue's handling all the user keys.
9,472 Views
0 Kudos

avatar
author-rank alexmc6
Explorer

Created ‎04-25-2018 02:46 AM

Hello, 

 

Sorry to revive an old thread but I would like to know if it is still true. 

 

I too am hit by this problem and, as described above, we have removed the S3 file browser for everyone. 

 

However I am thinking of upgrading my version of Hue as part of a move to a more recent CDH. 

 

Is this issue fixed in any more advanced versions of Hue? Do they talk to Hadoop for access permissions - and thus Sentry?

 

Thanks

7,828 Views
0 Kudos

avatar
author-rank Tomas79
Guru

Created ‎11-06-2018 04:22 AM

I have the same question too..
6,143 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements