Support Questions

Find answers, ask questions, and share your expertise

Hue 3.11 user access control on S3 storage

avatar
Explorer

We have HUE 3.11 running with HDFS 2.7.3 version. We are working on, how to control HUE user access to S3 storage buckets and folders. Currently all user can see all s3 storage buckets and its folders. Please suggest solution on how we can limit access to S3 storage based on user roles.

Technologies, we are using are:

  • AWS Active Directory
  • HDFS 2.7.3 version without kerberization
  • HUE 3.11 version cunning on separate node from Hadoop cluster

 

1 ACCEPTED SOLUTION

avatar
Super Guru
In current implementation of S3 Browser in Hue, there is no impersonation,
so everybody has the credentials of the S3 keys given to Hue.

This is why the feature is only for Hue Admin or requires a special Hue
permissions.

In the future, a proper impersonation will be provided, but this is not
provided by S3 yet.

View solution in original post

9 REPLIES 9

avatar
Champion

@vsreddy

 

You may need to follow the ACL conept, pls refer the below link, it has very high level information about security

 

https://community.cloudera.com/t5/Security-Apache-Sentry/Hadoop-Security-for-beginners/m-p/48576#M17...

 

Thanks

Kumar

avatar
Super Guru
Hue is currently using Boto API which is not relying on Hadoop for now (and
bypassing Sentry). So each user you grant access to S3 will have the
permissions of the S3 credentials.

This is why S3 access currently requires to be a Hue admin or have the S3
permission.

In the medium/long term, HttpFs will support S3 and Hue will switch to it.

Current S3 integration in Hue is more focus on transient / single user
cluster in the Cloud (to get S3 autocomplete / drag&drop to upload a file
or export results to S3). With HttpFs S3, it will work well for muli user
as Sentry permission will be enforced on top of the S3 credentials.

avatar
Explorer

The link you have provided is talking about Hadoop ACLs.

https://community.cloudera.com/t5/Security-Apache-Sentry/Hadoop-Security-for-beginners/m-p/48576#M17...

 

 

Issue here is how I can control access to S3 buckets and objects based on HUE (3.11) login credentials. I mean when I login to HUE with my credentials, I should see S3 object only  i have  Privilieges (Read, write,Delete). Appreciate any thoughts to resolve this issue.

 

avatar
Champion

@vsreddy

 

For object based security you have to implement Sentry

 

1. Install Kerberos (Pre-request: for Sentry)
2. Enabling Kerberos Authentication for Hadoop (Pre-request: Kerberos Installation is different from enable Kerberos to Hadoop)
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html

3. Add Sentry Service in cluster
4. Enable Sentry service for Hive & Impala.
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html
5. Create necessary groups, users in OS and match the same with Hue. You can try this manually for few users/group for testing purpose...

Ex: For Role creation 

https://community.cloudera.com/t5/Security-Apache-Sentry/How-to-create-the-following-user-roles/m-p/...

 

avatar
Super Guru
In current implementation of S3 Browser in Hue, there is no impersonation,
so everybody has the credentials of the S3 keys given to Hue.

This is why the feature is only for Hue Admin or requires a special Hue
permissions.

In the future, a proper impersonation will be provided, but this is not
provided by S3 yet.

avatar
New Contributor
Hi Romain - I assume impersonation was not added in CDH5.11 (did not see it in release notes) - any rough timeline for adding this? Thanks!

avatar
Super Guru
No it wasn't, as there is no system yet to handle multiple keys and it
should not be Hue's handling all the user keys.

avatar
Explorer

Hello, 

 

Sorry to revive an old thread but I would like to know if it is still true. 

 

I too am hit by this problem and, as described above, we have removed the S3 file browser for everyone. 

 

However I am thinking of upgrading my version of Hue as part of a move to a more recent CDH. 

 

Is this issue fixed in any more advanced versions of Hue? Do they talk to Hadoop for access permissions - and thus Sentry?

 

Thanks

avatar
I have the same question too..