Enable SSL Encryption Between Hue and HttpFS

About this task

As of HttpFS 1.0-1504 and Hue 3.7-1505, you can enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure cluster that is version 4.0.2 or greater.

Complete the following steps to enable SSL encryption and mutual-based authentication between Hue and HttpFS on a secure cluster:

Procedure

  1. Configure HttpFS to use SSL or verify that HttpFS is configured to use SSL. For details, see SSL Security for HttpFS.
  2. Set the webhdfs_url property in the [hadoop] [[hdfs_clusters]] [[[default]]] section of the hue.ini file to contain the correct URL for HttpFS with the HTTPS schema and domain of the HttpFS server:
    [hadoop]
      [[hdfs_clusters]]
        [[[default]]]
          # Use WebHdfs/HttpFs as the communication mechanism.
          # Domain should be the NameNode or HttpFs host.
          # Default port is 14000 for HttpFs.
          webhdfs_url=https://node1.cluster.com:14000/webhdfs/v1
  3. You can enable or disable Hue verification of service certificates by configuring ssl_cacerts and ssl_validate properties in the [desktop] section of the hue.ini file.
    Example for enabling certificate verification:
    [desktop]
       ...
                  
      # Path to default Certificate Authority certificates. As example: /path/to/cacert.pem
      ssl_cacerts=/opt/mapr/conf/ssl_truststore.pem
                  
      # Choose whether Hue should validate certificates received from the server.
      ssl_validate=true
    Example for disabling certificate verification:
    [desktop]
       ...
                  
      # Path to default Certificate Authority certificates. As example: /path/to/cacert.pem
      # ssl_cacerts=
                  
      # Choose whether Hue should validate certificates received from the server.
      ssl_validate=false
  4. [OPTIONAL] Configure mutual authentication between Hue and HttpFS. Add the following configuration in the hue.ini file under the [hadoop] [[hdfs_clusters]] [[[default]]] section.
    • mutual_ssl_auth=True
    • ssl_cert=/path/to/certificate.pem
    • ssl_key=/path/to/private_key.pem
    Use absolute paths for ssl_cert and ssl_key. Hue does not support private keys with a passphrase in this step.

    The changes are summarized in the following example in the hue.ini file, which you can use as a template:

    [hadoop]
     [[hdfs_clusters]]
      # HA support by using HttpFs
     [[[default]]]
      # Use WebHdfs/HttpFs as the communication mechanism.
      # Domain should be the NameNode or HttpFs host.
      # Default port is 14000 for HttpFs.
      webhdfs_url=https://node1.cluster.com:14000/webhdfs/v1
          ....
      # SSL certificate based authentication
      ssl_cert=/path/to/certificate.pem
      ssl_key=/path/to/private_key.pem
  5. Restart Hue.
    maprcli node services -name hue -action start -nodes <ip_address>
  6. To test that SSL encryption is enabled for HttpFS, run the following command:
    curl -k --cert /path/to/certificate.pem --key /path/to/private_key.pem
    "https://node1.cluster.com:14000/webhdfs/v1?op=GETFILESTATUS&user.name=mapr"