Support Questions

Find answers, ask questions, and share your expertise

Hue - Retrieval of LDAP Group Membership when Users Log In - Direct Bind

avatar
Explorer

Could someone clarify a couple of things for me please?

 

1. When you have set up Hue (2.5, within CDH4.6) to use direct bind LDAP authentication, when a user logs in, should their LDAP groups automatically come through as well and be shown as groups within Hue's User Admin pages? For reference i'm trying this against OpenLDAP as the LDAP server, and whilst I can direct bind authenticate as a user, and seperately import in LDAP groups, I can't seem to automatically retrieve the users' groups when they log in even though I've set the "member" LDAP attribute etc in the LDAP settings.

 

2. Is there any way to configure Hue in direct bind mode to only allow users who belong to certain groups in LDAP to log in? For example, if I assign users to two groups - HUE_ADMIN and HUE_USER - can I configure Hue to only give access to those groups, and deny everyone else access (even if they've entered otherwise valid LDAP credentials in direct bind mode)?

 

3. Finally - is there any way to automatically assign Hue Superuser status to direct bind LDAP users based on membership of a certain LDAP group (for example, HUE_ADMIN?)

 

thanks

 

Mark

1 ACCEPTED SOLUTION

avatar
Explorer

For the benefit of others reading this thread, I managed to get an answer via our Oracle (Big Data Appliance) support agreement, who in-turn asked Cloudera for the answer. Here's the response (edited);

 

"1. Hue only gets group membership from its internal DB. Rather than manually adding users, Hue can import users & groups from LDAP. Also the LDAP group membership is updated when the sync users/groups is run. This section of the documentation describes common configurations:

http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5s...

 

Below are a few blogs that explain some of the details.

 

How-to: Make Hadoop Accessible via LDAP
http://blog.cloudera.com/blog/2014/02/how-to-make-hadoop-accessible-via-ldap/

 

How-to: Manage Permissions in Hue
http://blog.cloudera.com/blog/2012/12/managing-permissions-in-hue/

 

2. Currently there is no way to limit users login based on group. The sync process only brings in users already defined for Hue. You can import users from and LDAP by defining a user filter. The process is described in the blog " How-to: Make Hadoop Accessible via LDAP".


Cloudera opened a feature request for you just now, to limit user logins by group membership. It is being tracked by internal JIRA CDH-20336. 

 

3. However you can add useradmin rights to a particular group. To do this you navigate to User Admin (icon in menu bar) -> permissions (tab). In that screen you can define a group that has admin privileges."

 

Mark

View solution in original post

3 REPLIES 3

avatar
Super Guru

avatar
Explorer

Thanks, I've read that doc (and the rest of the online docs) and it doesn't really answer my questions.


For example, it says "With the Hue LDAP integration, users can use their LDAP credentials to authenticate and inherit their existing groups transparently", but then later on says "If an LDAP user needs to be part of a certain group and have a particular set of permissions, then this user can be imported via the Useradmin interface" - hence my question as to whether users that come in via direct bind authentication automatically are assigned to groups within Hue - or whether I need to separately import groups, then manually add the users to the groups in Hue.

 

And it doesn't address my second or third questions, either.

 

Is there anyone from the Hue team who can answer my specific questions?

 

thanks in advance

 

Mark

avatar
Explorer

For the benefit of others reading this thread, I managed to get an answer via our Oracle (Big Data Appliance) support agreement, who in-turn asked Cloudera for the answer. Here's the response (edited);

 

"1. Hue only gets group membership from its internal DB. Rather than manually adding users, Hue can import users & groups from LDAP. Also the LDAP group membership is updated when the sync users/groups is run. This section of the documentation describes common configurations:

http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5s...

 

Below are a few blogs that explain some of the details.

 

How-to: Make Hadoop Accessible via LDAP
http://blog.cloudera.com/blog/2014/02/how-to-make-hadoop-accessible-via-ldap/

 

How-to: Manage Permissions in Hue
http://blog.cloudera.com/blog/2012/12/managing-permissions-in-hue/

 

2. Currently there is no way to limit users login based on group. The sync process only brings in users already defined for Hue. You can import users from and LDAP by defining a user filter. The process is described in the blog " How-to: Make Hadoop Accessible via LDAP".


Cloudera opened a feature request for you just now, to limit user logins by group membership. It is being tracked by internal JIRA CDH-20336. 

 

3. However you can add useradmin rights to a particular group. To do this you navigate to User Admin (icon in menu bar) -> permissions (tab). In that screen you can define a group that has admin privileges."

 

Mark