The User Admin application lets a superuser add, delete, and manage Hue users and groups, and configure group permissions. Superusers can add users and groups individually, or import them from an LDAP directory. Group permissions define the Hue applications visible to group members when they log into Hue and the application features available to them.
Click the Hue Administration icon in the top right navigation bar under your username.
LDAP or PAM pass-through authentication with Hive or Impala and Impersonation .
The User Admin application provides two levels of user privileges: superusers and users.
Superusers — The first user who logs into Hue after its initial installation becomes the first superuser. Superusers have permissions to perform administrative functions:
Users can change their name, e-mail address, and password and log in to Hue and run Hue applications, subject to the permissions provided by the Hue groups to which they belong.
| Username | A user name that contains only letters, numbers, and underscores; blank spaces are not allowed and the name cannot begin with a number. The user name is used to log into Hue and in file permissions and job submissions. This is a required field. |
| Password and Password confirmation | A password for the user. This is a required field. |
| Create home directory | Indicate whether to create a directory named /user/username in HDFS. For non-superusers, the user and group of the directory are username. For superusers, the user and group are username and supergroup. |
| First name and Last name | The user's first and last name. |
| E-mail address | The user's e-mail address. The e-mail address is used by the Job Designer and Beeswax applications to send users an e-mail message after certain actions have occurred. The Job Designer sends an e-mail message after a job has completed. Beeswax sends a message after a query has completed. If an e-mail address is not specified, the application will not attempt to email the user. |
| Groups | The groups to which the user belongs. By default, a user is assigned to the **default** group, which allows access to all applications. See [Permissions](#permissions). |
| Active | Indicate that the user is enabled and allowed to log in. Default: checked. |
| Superuser status | Assign superuser privileges to the user. |
Note:
Importing users from an LDAP directory does not import any password information. You must add passwords manually in order for a user to log in.
To add a user from an external LDAP directory:
| Username | The user name. |
| Distinguished name | Indicate that Hue should use a full distinguished name for the user. This imports the user's first and last name, username, and email, but does not store the user password. |
| Create home directory | Indicate that Hue should create a home directory for the user in HDFS. |
Click Add/sync user.
If the user already exists in the User Admin, the user information in User Admin is synced with what is currently in the LDAP directory.
You can sync the Hue user database with the current state of the LDAP directory using the Sync LDAP users/groups function. This updates the user and group information for the already imported users and groups. It does not import any new users or groups.
Programmatically
When a Hue administrator loses their password, a more programmatic approach is required to secure the administrator again. Hue comes with a wrapper around the python interpreter called the “shell” command. It loads all the libraries required to work with Hue at a programmatic level. To start the Hue shell, type the following command from the Hue installation root.
Then:
cd /usr/lib/hue (or /opt/cloudera/parcels/CDH-XXXXX/share/hue if using parcels and CM)
build/env/bin/hue shell
The following is a small script, that can be executed within the Hue shell, to change the password for a user named “example”:
from django.contrib.auth.models import User
user = User.objects.get(username='example')
user.set_password('some password')
user.save()
The script can also be invoked in the shell by using input redirection (assuming the script is in a file named script.py):
build/env/bin/hue shell < script.py
How to make a certain user a Hue admin
build/env/bin/hue shell
Then set these properties to true:
from django.contrib.auth.models import User
a = User.objects.get(username='hdfs')
a.is_staff = True
a.is_superuser = True
a.set_password('my_secret')
a.save()
** Via a command**
Go on the Hue machine, then in the Hue home directory and either type:
To change the password of the currently logged in Unix user:
build/env/bin/hue changepassword
If you don’t remember the admin username, create a new Hue admin (you will then also be able to login and could change the password of another user in Hue):
build/env/bin/hue createsuperuser
Superusers can add and delete groups, configure group permissions, and assign users to group memberships.
You can add groups, and delete the groups you’ve added. You can also import groups from an LDAP directory.
| Name | The name of the group. Group names can only be letters, numbers, and underscores; blank spaces are not allowed. |
| Members | The users in the group. Check user names or check Select all. |
| Permissions | The applications the users in the group can access. Check application names or check Select all. |
[desktop]
[[ldap]]
login_groups=ldap_grp1,ldap_grp2,ldap_grp3
| Name | The name of the group. |
| Distinguished name | Indicate that Hue should use a full distinguished name for the group. |
| Import new members | Indicate that Hue should import the members of the group. |
| Import new members from all subgroups | Indicate that Hue should import the members of the subgroups. |
| Create home directories | Indicate that Hue should create home directories in HDFS for the imported members. |
Permissions for Hue applications are granted to groups, with users gaining permissions based on their group membership. Group permissions define the Hue applications visible to group members when they log into Hue and the application features available to them.