Enable SSL Encryption Between Hue and HttpFS

About this task

As of HttpFS 1.0-1504 and Hue 3.7-1505, you can enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure MapR cluster that is version 4.0.2 or greater.

Complete the following steps to enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure cluster:

Procedure

  1. Configure HttpFS to use SSL or verify that HttpFS is configured to use SSL. For details, see SSL Security for HttpFS.
  2. Set the webhdfs_url property in the [hadoop] [[hdfs_clusters]] [[[default]]] section of the hue.ini file to contain the correct URL for HttpFS with the HTTPS schema and domain of the HttpFS server: 
    [hadoop]
  [[hdfs_clusters]]
    [[[default]]]
      # Use WebHdfs/HttpFs as the communication mechanism.
      # Domain should be the NameNode or HttpFs host.
      # Default port is 14000 for HttpFs.
      webhdfs_url=https://node1.cluster.com:14000/webhdfs/v1
  3. You can enable or disable Hue verification of service certificates by configuring ssl_cacerts and ssl_validate properties in the [desktop] section of the hue.ini file.
    Example for enabling certificate verification: 
    [desktop]
   ...
              
  # Path to default Certificate Authority certificates. As example: /path/to/cacert.pem
  ssl_cacerts=/opt/mapr/conf/ssl_truststore.pem
              
  # Choose whether Hue should validate certificates received from the server.
  ssl_validate=true
    Example for disabling certificate verification: 
    [desktop]
   ...
              
  # Path to default Certificate Authority certificates. As example: /path/to/cacert.pem
  # ssl_cacerts=
              
  # Choose whether Hue should validate certificates received from the server.
  ssl_validate=false
  4. [OPTIONAL] Configure mutual authentication between Hue and HttpFS. Add the following configuration in the hue.ini file under the [hadoop] [[hdfs_clusters]] [[[default]]] section. 
    • mutual_ssl_auth=True
    • ssl_cert=/path/to/certificate.pem
    • ssl_key=/path/to/private_key.pem
    Use absolute paths for ssl_cert and ssl_key. Hue does not support private keys with a passphrase in this step.

    The changes are summarized in the following example in the hue.ini file, which you can use as a template: 

    [hadoop]
 [[hdfs_clusters]]
  # HA support by using HttpFs
 [[[default]]]
  # Use WebHdfs/HttpFs as the communication mechanism.
  # Domain should be the NameNode or HttpFs host.
  # Default port is 14000 for HttpFs.
  webhdfs_url=https://node1.cluster.com:14000/webhdfs/v1
      ....
  # SSL certificate based authentication
  ssl_cert=/path/to/certificate.pem
  ssl_key=/path/to/private_key.pem
  5. Restart Hue. 
    maprcli node services -name hue -action start -nodes <ip_address>
  6. To test that SSL encryption is enabled for HttpFS, run the following command: 
    curl -k --cert /path/to/certificate.pem --key /path/to/private_key.pem
"https://node1.cluster.com:14000/webhdfs/v1?op=GETFILESTATUS&user.name=mapr"