Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Urgent:HUE LDAP Super User Issue

avatar
Explorer


We recently were trying to integrate HUE on our EMR by authenticating via LDAP authentication. Based on the documentation on HUE the first user that logins will become the superuser.Our end goal is to make members of a Active Directory group super users.Having any first user being the super user makes the emr vulnerable and can give superuser access to people who shouldnt have super user access.How can we add a filter in hue.ini file or any file that will give superuser access to only members of a active directory group.

1 ACCEPTED SOLUTION

avatar
Explorer

@bgooley @Tomas79

 

I ended up loging in a user when the EMR is launching in the bootstrap action.I did this via curl commands.This will avoid any user being given super user status.

 

For anyone needing guidance on the workaround you could follow the below steps.

 

1) Curl command to get the cookie.txt(it has the session id and csrf token) file.

2) Curl command to login(You have to grep from the cookie.txt file the session id and csrftoken) 

 

If anyone has a better idea please let me know

View solution in original post

7 REPLIES 7

avatar
Master Guru

@Timothy,

 

I believe the feature you are seeking has been introduced to the codebase only in the last few months:

 

https://issues.cloudera.org/browse/HUE-7407

 

This fix is likely to make it into CDH 6.1 but I don't think there are plans to add it to 5.15.x.

avatar
Explorer

Thank you for your response. So what would be best option to solve this issue.When we rehydrate our EMR the Superuser is no longer in the system. Currently I login before anyone logins to avoid giving access to people who shouldnt have access.Also what do we need to do to get  the 6.1 update when it is up.

Curently 

             user_filter=(|(memberof=CN=admingroup,OU=ouname,DC=stuff,DC=stuff1,DC=stuff2,DC=stuff3)                                               (memberof=CN=nonadmingroup,OU=ouname,DC=stuff,DC=stuff1,DC=stuff2,DC=stuff3)),
             user_name_attr=cn

             NO FILTERS IN GROUP

This will only give access to people in those AD groups.I want the admingroup get superuser access.

 

 

avatar
Master Guru

@Timothy,

 

I'm not sure what "rehydrate our EMR the Superuser is no longer in the system." means.  Are you deleting your Hue database users from Hue itself? 

 

The is_superuser flag is associated with your user Hue user in the Hue database.  Once there is an LDAP-authenticated user that is a superuser, no other users will be able to become superuser without you granting that access explicitly.

 

If you want to clean out the Hue users from the Hue database and start over while protecting a random user from getting superuser access as the first user to log in, you could temporarily configure the search filter to only return your user.  Once you have logged into Hue, change the filter back to what you want and start over.

 

Please visit the Cloudera upgrade documentation to review what is required for upgrading when the time comes.  It is a big upgrade and can require some manual processes especially if you use Solr.

 

It will be available for download when it is released to the public

 

 

avatar
Explorer

@bgooley

 

Regarding "Rehydrate our EMR the Superuser is no longer in the system

 

We launch our EMR on AWS via CLoud Formation Template(CFT).Hue is enabled on our EMR.We delete our CFT every two months or so which tears down our EMR which has HUE enabled and rehydrate a new EMR with HUE enabled.Whatever user data we had in the old EMR is deleted now.This causes the problem where the first user who logins become the superuser.We where wondering if we can add a filter  like the user_filter or another work around to avoid this situation.

 

avatar
Maybe off topic: but even with LDAP how do you want to implement security? (PErmissions on tables, databases). I suspect your EMR is not using Kerberos right?

avatar
Explorer

@Tomas79

 

When you say security I am guessing regarding the login's. We currently are securing the authentication by limiting the users to only certain AD groups in the user_filter section in hue.ini.

 

The issue we are having is with first user that logins after the EMR is launched is being given superuser status.I want the super user status to be given to only members of a certain admin AD group.

avatar
Explorer

@bgooley @Tomas79

 

I ended up loging in a user when the EMR is launching in the bootstrap action.I did this via curl commands.This will avoid any user being given super user status.

 

For anyone needing guidance on the workaround you could follow the below steps.

 

1) Curl command to get the cookie.txt(it has the session id and csrf token) file.

2) Curl command to login(You have to grep from the cookie.txt file the session id and csrftoken) 

 

If anyone has a better idea please let me know