hue

User Management Using Hue Shell (CDH)

Post Comments (0)

In this short post I will focus on user management aspects of Hue. Something that every administrator needs to tackle.

Intro

When it comes to production setups Hue provides ways to integrate existing user base (e.g LDAP) with the service itself. That pretty much solves the problem for production. The situation looks a bit different in a testing or teaching environments for which you could require more user accounts and no backend is available. The simplest way would be to create them manually, but that takes time, becomes tedious, and I’ve been there. Clicking for half an hour just to create some users is not productive at all. There must be other way!

LDAP

But let’s start with few words about LDAP integration. Cloudera provides detailed instructions on how to configure Hue in order to integrate it with existing user base. When you set up this correctly you’re almost done. The last thing you need to know about this integration is that every time you want to sync LDAP with Hue database you need to invoke the sync operation manually. You can do it from Hue web interface. Better solution is to have a script which can be run each time you onboard new users or groups for Hue. There are couple of Hue shell commands which help you achieve this goal. You need to invoke them from Hue directory.

Here are exemplary situations you may find yourself in:

If you want to add a user who is part of LDAP group which you previously added to Hue, you would run:

Then you may want to add a new LDAP group to Hue database:

Third situation is when you need to sync LDAP and Hue when you already have users and groups in Hue database but you have changed something in LDAP (e.g you have removed couple of users from developer group and you want Hue to be aware of that change):

Without LDAP

Now, let’s take a look at our problematic scenario. Hue shell provides the ability to run commands from a script. That’s something we can work with! If you use external Hue database for your testing purposes you’re set to go. You know the database username/password and you can access Hue shell without issue. The problem occurs when you use internal database (as in most testing setups). Then you need a way to get to the Hue database password (in modern versions of Hue the internal db password is encrypted and is not easily available from a config file as it used to be.

Let’s get this password using Cloudera Manager API. Here’s a little script to help with that. You need cm_api libraries for python.

You can easily write the password to a file

Just provide ‘api’ object with values of the Cloudera Manager host address, the username (needs to be administrator, otherwise you won’t be able to get the password) as well as the password.

With Hue database password we can proceed to Hue shell to do our job. For this we will use a shell script:

With this script we can easily create user in HUE without going into web interface. Just use this script with a list of users and you saved yourself some dull clicking.

Bonus. Hue user groups and permissions overview.

We talked a bit about adding users or groups to Hue, but there is one more important thing we should take care of – permissions. The most obvious way to manage permissions is to use web UI. Too obvious 🙂 Let’s take a look on how we can utilize shell to do this.

This code will list all the available permissions that we can assign to a group. Something like:

As you can see the permission consists of three parts. Application name (e.g ‘about), action (e.g ‘access’) and description (e.g Launch this application). Using this information we can add permission to a group. To make things more interesting we will create a new group. Then we will add ‘access’ action to that group.

And that’s it! With this simple steps you can create a group and edit its permissions. The method to add user to groups is mentioned in the user creation script. Mainly the part:

Summary

As you can see Hue shell provides a nice way to help you manage the users when there is no possibility to use anything like LDAP. The big disadvantage is that there is little to none documentation and pretty much all things you read here had been gathered from scarce information available online (other people experiences) or discovered by trial and error method. Hopefully this post will save you some precious time.

Disclaimer
The code presented in this post was tested with Hue 3.10 and cm_api API version 13 (CM 5.8.0)

Tweet about this on TwitterShare on LinkedIn22Share on Facebook0Share on Google+0Pin on Pinterest0Email this to someone

Latest posts by Piotr Bednarek (see all)

» Post » User Management Using Hue Shell...
On October 24, 2016
By
, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Blue Captcha Image
Refresh

*

« »