Sunday, September 6, 2015

Establishing HUE LDAP integration and about ticketing filtering auditing issues


In this post , I am writing about how to enable LDAP authentication on HUE service via Cloudera Manager . When we add users in a commercial environment, it is a must to sync users with their existing account on the system. After that , i will show how to track user activities on our clustered system . Note that all configuration operations will be done on Cloudera Manager.

Ok, in this post, i assume there is a preconfigured LDAP server or AD server and a service account to query LDAP server from HUE.

We will use Cloudera Manager to configure LDAP connection.

  • Configuring LDAP connection on CM

First, lets look at how HUE use LDAP when authenticating user. As shown in the following picture, user gets a ticket from Kerberos and logons to HUE. And HUE checks user if it lives on OS as a real user. After that user can reach to Hadoop.

!!!  CAUTION  !!!

At this point it is very important that user in Hadoop not equals to user in traditional OS accounts. 

For example:

user X gets a ticket in the name of HDFS account to Hadoop and HUE looks for user X, it gets OK from LDAP and user X reaches to Hadoop. But user X is may not be allowed to use HDFS or directly it is not user HDFS.

So as we do in my previous post ,when users kinits to get a Kerberos ticket , their assigned usernames must be identical to their OS account name which are usually lowercase.
Typically AD names are different from OS usernames like .. Hadoop username : UserXyt, OS username : userxyt .

So how HUE searches for user in LDAP. It is configurable via CM.

You can set the following parameters to access LDAP.

Set Authentication Backend to  desktop.auth.backend.LdapBackend
Set LDAP URL to your_existing_ldap url

And in this configuration i use "Search Bind Authentication", becasue i will use some filters and no need to add all users to Ldap. So check Use Search Bind Authentication.

And you have to set LDAP Search Base , you know when you use Active Directory discoverer programs or like that, it is important where to search for a account.

Like i said before, use a service account to query LDAP shown here.

  • Searching for a User in LDAP

HUE uses LDAP User Filter parameter when query for a user in LDAP. You can use all the values in Active Directory server like memberof, sAMAccountName or others in this field.

LDAP Username Attribute parameter is used how a user will be represented in HUE accounts with which parameter. So you may want to use userid or username when displaying for labeling user. Here sAMAccountName is suitable i think.

Recommendation :)

LDAP Group Filter can be used for grouping user and actually it is a very good practise to group people in a new ldap group like BigDataUsers and it is very clean and simple to filter people with this information. If a user not in BigDataUsers, skip it. So it can be useful for big companies when managing user accounts.

After all this settings, restart HUE service. And people can login to HUE with their existing usernames and passwords. :)

  • Audit User Logins on HUE

So far, i couldn't find any simple method in HUE :)) but ,we can query HUE access logs to identify successful logins and failed login attemps.


[BDAHOST]/var/log/hue$tail -f access.log
[04/Sep/2015 17:13:16 +0300] DEBUG    USER_IP -anon- - "POST /accounts/login/ HTTP/1.1"
[04/Sep/2015 17:13:16 +0300] DEBUG    search_s('DC=com,DC=tr', 2, '(&(sAMAccountName=%(user)s)(&(objectClass=user)....) returned 1 objects: cn=userx ....dc=com,dc=tr
[04/Sep/2015 17:13:16 +0300] DEBUG    Authentication failed for userx 
[04/Sep/2015 17:13:16 +0300] WARNING  USER_IP -anon- - "POST /accounts/login/ HTTP/1.1" -- Failed login for user "userx"
[04/Sep/2015 17:13:16 +0300] DEBUG    USER_IP -anon- - "GET /static/desktop/ext/js/jquery/jquery-2.1.1.min.e40ec2161fe7.js HTTP/1.1"
[04/Sep/2015 17:13:16 +0300] DEBUG    USER_IP -anon- - "GET /static/desktop/ext/css/fileuploader.b6d0033d0363.css HTTP/1.1"
[04/Sep/2015 17:14:16 +0300] DEBUG    USER_IP -anon- - "POST /accounts/login/ HTTP/1.1"
[04/Sep/2015 17:14:16 +0300] DEBUG    search_s('DC=com,DC=tr', 2, '(&(sAMAccountName=%(user)s(&(objectClass=user)....) returned 1 objects: cn=userx ....dc=com,dc=tr
[04/Sep/2015 17:14:16 +0300] DEBUG    Populating Django user userx 
[04/Sep/2015 17:14:16 +0300] DEBUG    Django user userx does not have a profile to populate
[04/Sep/2015 17:14:16 +0300] WARNING  USER_IP userx - "POST /accounts/login/ HTTP/1.1" -- "userx" login ok


Thanks for reading.

enjoy & share

No comments :

Post a Comment