11-07-2018 01:49 PM
We recently were trying to integrate HUE on our EMR by authenticating via LDAP authentication. Based on the documentation on HUE the first user that logins will become the superuser.Our end goal is to make members of a Active Directory group super users.Having any first user being the super user makes the emr vulnerable and can give superuser access to people who shouldnt have super user access.How can we add a filter in hue.ini file or any file that will give superuser access to only members of a active directory group.
11-07-2018 05:26 PM
11-08-2018 06:38 AM - edited 11-08-2018 08:08 AM
Thank you for your response. So what would be best option to solve this issue.When we rehydrate our EMR the Superuser is no longer in the system. Currently I login before anyone logins to avoid giving access to people who shouldnt have access.Also what do we need to do to get the 6.1 update when it is up.
NO FILTERS IN GROUP
This will only give access to people in those AD groups.I want the admingroup get superuser access.
11-08-2018 03:04 PM
I'm not sure what "rehydrate our EMR the Superuser is no longer in the system." means. Are you deleting your Hue database users from Hue itself?
The is_superuser flag is associated with your user Hue user in the Hue database. Once there is an LDAP-authenticated user that is a superuser, no other users will be able to become superuser without you granting that access explicitly.
If you want to clean out the Hue users from the Hue database and start over while protecting a random user from getting superuser access as the first user to log in, you could temporarily configure the search filter to only return your user. Once you have logged into Hue, change the filter back to what you want and start over.
Please visit the Cloudera upgrade documentation to review what is required for upgrading when the time comes. It is a big upgrade and can require some manual processes especially if you use Solr.
It will be available for download when it is released to the public
11-09-2018 06:29 AM - edited 11-09-2018 01:16 PM
Regarding "Rehydrate our EMR the Superuser is no longer in the system"
We launch our EMR on AWS via CLoud Formation Template(CFT).Hue is enabled on our EMR.We delete our CFT every two months or so which tears down our EMR which has HUE enabled and rehydrate a new EMR with HUE enabled.Whatever user data we had in the old EMR is deleted now.This causes the problem where the first user who logins become the superuser.We where wondering if we can add a filter like the user_filter or another work around to avoid this situation.
11-09-2018 01:12 PM - edited 11-09-2018 01:20 PM
When you say security I am guessing regarding the login's. We currently are securing the authentication by limiting the users to only certain AD groups in the user_filter section in hue.ini.
The issue we are having is with first user that logins after the EMR is launched is being given superuser status.I want the super user status to be given to only members of a certain admin AD group.
11-16-2018 09:04 AM - edited 11-16-2018 01:00 PM
I ended up loging in a user when the EMR is launching in the bootstrap action.I did this via curl commands.This will avoid any user being given super user status.
For anyone needing guidance on the workaround you could follow the below steps.
1) Curl command to get the cookie.txt(it has the session id and csrf token) file.
2) Curl command to login(You have to grep from the cookie.txt file the session id and csrftoken)
If anyone has a better idea please let me know