How to fix the MultipleObjectsReturned error in Hue

When going on the Home page (/home) in Hue 3.0, this error could appear:

MultipleObjectsReturned: get() returned more than one DocumentPermission -- it returned 2! Lookup parameters were {'perms': 'read', 'doc': <Document: saved query Sample: Job loss sample>}

This is fixed in Hue 3.6 and here is a way to repair it:

1. Backup the Hue database

2. Run the cleanup script

from desktop.models import DocumentPermission, Document

for document in Document.objects.all():
    perm, created = DocumentPermission.objects.get_or_create(doc=document, perms=DocumentPermission.READ_PERM)
  except DocumentPermission.MultipleObjectsReturned, ex:
    # We can delete duplicate perms of a document
    dups = DocumentPermission.objects.filter(doc=document, perms=DocumentPermission.READ_PERM)
    perm = dups[0]
    for dup in dups[1:]:
      print 'Deleting duplicate %s' % dup

This article was originally posted 6 months ago.

Tags: sdk

How to change or reset a forgotten password?

Her are two easy ways. Go on the Hue machine, then in the Hue home directory (/usr/lib/hue by default) and either type:

To change the password of the currently logged in Unix user:

build/env/bin/hue  changepassword

If you don’t remember the admin username, create a new Hue admin (you will then also be able to login and could change the password of another user in Hue):

build/env/bin/hue  createsuperuser

This article was originally posted 6 months ago.

Tags: admin

Join the Hue Team!

Hue 1


Hue 2


Hue 3


Hue N+1

Your Turn

Do you love UI/UX and making an impact?

Join the Team!




This article was originally posted 6 months ago.

How Hue integrates Hadoop with Django

Main talk

More pizzas

Lot of mingling

A great event!

This article was originally posted 6 months ago.

Tags: sdk

Hadoop Tutorial: Schedule your Hadoop jobs intuitively with the new Oozie crontab!

Hue is taking advantage of a new way to specify the frequency of a coordinator in Oozie (OOZIE-1306). Here is how to put it in practice:

The crontab requires Oozie 4. In order to use the previous Frequency drop-down from Oozie 3, the feature can be disabled in hue.ini:


 # Use Cron format for defining the frequency of a Coordinator instead of the old frequency number/unit.


As usual feel free to comment on the hue-user list or @gethue!

This article was originally posted 6 months ago.

Tags: oozie tutorial video

Secure your YARN cluster and access the jobs information safely

Hue can authenticate with Kerberos in YARN and guarantee than someone cannot access someone else’s MapReduce information.

As usual feel free to comment on the hue-user list or @gethue!

This article was originally posted 6 months ago.

Tags: yarn Job Browser enterprise

San Francisco Developer: Get started with the Hue SDK

From San Francisco Developer Meetup

This article was originally posted 7 months ago.

Tags: sdk

How to use the new file types icons with the Hue SDK or in standalone

Hue 3.5+ ships with two font icon sets: Font Awesome 4 ( and the Hue Filetypes font that includes some basic file types you might need.

The icons are available in the Hue master or in this zip file:

When you want to use the new icons in your app, you have first to import the Hue Filetypes css in your .mako template:

<link href="/static/ext/css/hue-filetypes.css" rel="stylesheet">

and then define you icons with the same way you would do with Font Awesome.

In our case you need to write a prefix (hfo instead of fa)

<i class="hfo .."></i>

and then you can specify the icon you want. To render a JSON file icon for instance you should use

<i class="hfo hfo-file-json"></i>

You can also use the modifiers from Font Awesome, so you can create a larger rotated PDF icon like this:

<i class="hfo hfo-file-json fa-2x fa-rotate-90"></i>

Which other icons would you like to see implemented? We would also be glad to contribute them back. Please let us know or comment!

This article was originally posted 7 months ago.

Tags: sdk

Making Hadoop Accessible to your Employees with LDAP

Hue easily integrates with your corporation’s existing identity management systems and provides authentication mechanisms for SSO providers. By changing a few configuration parameters, your employees can start doing big data analysis in their browser by leveraging an existing security policy.

This blog post details the various features and capabilities available in Hue for LDAP:

  1. Authentication

  2. Search bind

  3. Direct bind

Importing users

Importing groups

Synchronizing users and groups

  1. Attributes synchronized

  2. Useradmin interface

  3. Command line interface

LDAP search

Case sensitivity

LDAPS/StartTLS support



1.    Authentication

The typical authentication scheme for Hue takes of the form of the following image:


Passwords are saved into the Hue databases.

With the Hue LDAP integration, users can use their LDAP credentials to authenticate and inherit their existing groups transparently. There is no need to save or duplicate any employee password in Hue:


There are several other ways to authenticate with Hue: PAM, SPNEGO, OpenID, OAuth, SAML2, etc. This section details how Hue can authenticate against an LDAP directory server.

When authenticating via LDAP, Hue validates login credentials against a directory service if configured with this authentication backend:


The LDAP authentication backend will automatically create users that don’t exist in Hue by default. Hue needs to import users in order to properly perform the authentication. The password is never imported when importing users. The following configuration can be used to disable automatic import:


The purpose of disabling the automatic import is to only allow to login a predefined list of manually imported users.

The case sensitivity of the authentication process is defined in the “Case sensitivity” section below.

There are two different ways to authenticate with a directory service through Hue:

  1. Search bind

  2. Direct bind

1.1.    Search bind

The search bind mechanism for authenticating will perform an ldapsearch against the directory service and bind using the found distinguished name (DN) and password provided. This is, by default, used when authenticating with LDAP. The configurations that affect this mechanism are outlined in “LDAP search”.

1.2.    Direct bind

The direct bind mechanism for authenticating will bind to the ldap server

using the username and password provided at login. There are two options that can be used to choose how Hue binds:

  1. nt_domain - Domain component for User Principal Names (UPN) in active directory. This active directory specific idiom allows Hue to authenticate with active directory without having to follow LDAP references to other partitions. This typically maps to the email address of the user or the users ID in conjunction with the domain.

  2. ldap_username_pattern - Provides a template for the DN that will ultimately be sent to the directory service when authenticating.

If ‘nt_domain’ is provided, then Hue will use a UPN to bind to the LDAP service:


Otherwise, the ‘ldap_username_pattern’ configuration is used (the <username> parameter will be replaced with the username provided at login):


Typical attributes to search for include:

  1. uid

  2. sAMAccountName

To enable direct bind authentication, the ‘search_bind_authentication’ configuration must be set to false:


2.    Importing users

If an LDAP user needs to be part of a certain group and have a particular set of permissions, then this user can be imported via the Useradmin interface:image

As you can see, there are two options available when importing:

  1. Distinguished name

  2. Create home directory

If ‘Create home directory’ is checked, when the user is imported their home directory in HDFS will automatically be created, if it doesn’t already exist.

If ‘Distinguished name’ is checked, then the username provided must be a full distinguished name (eg: uid=hue,ou=People,dc=gethue,dc=com). Otherwise, the Username provided should be a fragment of a Relative Distinguished Name (rDN) (e.g., the username “hue” maps to the rDN “uid=hue”). Hue will perform an LDAP search using the same methods and configurations as defined in the “LDAP search” section. Essentially, Hue will take the provided username and create a search filter using the ‘user_filter’ and ‘user_name_attr’ configurations. For more information on how Hue performs LDAP searches, see the “LDAP Search” section.

The case sensitivity of the search and import processes are defined in the “Case sensitivity” section.

3.    Importing groups

Groups are importable via the Useradmin interface. Then, users can be added to this group, which would provide a set of permissions (e.g. accessing the Impala application). This function works almost the exact same way as user importing, but has a couple of extra features.


As the above image portrays, not only can groups be discovered via DN and rDN search, but users that are members of the group and members of the group’s subordinate groups can be imported as well. Posix groups and members are automatically imported if the group found has the object class ”posixGroup”.

4.    Synchronizing users and groups

Users and groups can be synchronized with the directory service via the Useradmin interface or via a command line utility. The images from the previous sections use the words “Sync” to indicate that when a name of a user or group that exists in Hue is being added, it will in fact be synchronized instead. In the case of importing users for a particular group, new users will be imported and existing users will be synchronized. Note: Users that have been deleted from the directory service will not be deleted from Hue. Those users can be manually deactivated from Hue via the Useradmin interface.

4.1.    Attributes synchronized

Currently, only the first name, last name, and email address are synchronized. Hue looks for the LDAP attributes ‘givenName’, ‘sn’, and ‘mail’ when synchronizing.  Also, the ‘user_name_attr’ config is used to appropriately choose the username in Hue. For instance, if ‘user_name_attr’ is set to “uid”, then the “uid” returned by the directory service will be used as the username of the user in Hue.

4.2.    Useradmin interface

The “Sync LDAP users/groups” button in the Useradmin interface will  automatically synchronize all users and groups.image

4.3.    Command line interface

Here’s a quick example of how to use the command line interface to synchronize users and groups:

<hue root>/build/env/bin/hue sync_ldap_users_and_groups

5.    LDAP search

There are two configurations for restricting the search process:

  1. user_filter - General LDAP filter to restrict the search.

  2. user_name_attr - Which attribute will be considered the username to search against.

Here is an example configuration:


With the above configuration, the LDAP search filter will take on the form:

(&(objectClass=*)(uid=<user entered usename>))

6.    Case sensitivity

Hue can be configured to ignore the case of usernames as well as force usernames to lower case via the ‘ignore_username_case’ and ‘force_username_lowercase’ configurations. These two configurations are recommended to be used in conjunction with each other. This is useful when integrating with a directory service containing usernames in capital letters and unix usernames in lowercase letters (which is a Hadoop requirement). Here is an example of configuring them:



7.    LDAPS/StartTLS support

Secure communication with LDAP is provided via the SSL/TLS and StartTLS protocols. It allows Hue to validate the directory service it’s going to converse with. Practically speaking, if a Certificate Authority Certificate file is provided, Hue will communicate via LDAPS:


The StartTLS protocol can be used as well (step up to SSL/TLS):


8.    Notes

  1. Setting “search_bind_authentication=true” in the hue.ini will tell Hue to perform an LDAP search using the bind credentials specified in the hue.ini (bind_dn, bind_password). Hue will then search using the base DN specified in “base_dn” for an entry with the attribute, defined in “user_name_attr”, with the value of the short name provided in the login page. The search filter, defined in “user_filter” will also be used to limit the search. Hue will search the entire subtree starting from the base DN.
  2. Setting  ”search_bind_authentication=false” in the hue.ini will tell Hue to perform a direct bind to LDAP using the credentials provided (not bind_dn and bind_password specified in the hue.ini). There are two effective modes here:
    1. nt_domain is specified in the hue.ini: This is used to connect to an Active Directory directory service. In this case, the UPN (User Principal Name) is used to perform a direct bind. Hue forms the UPN by concatenating the short name provided at login and the nt_domain like so: “<short name>@<nt_domain>”. The ‘ldap_username_pattern’ config is completely ignore.
    2. nt_domain is NOT specified in the hue.ini: This is used to connect to all other directory services (can even handle Active Directory, but nt_domain is the preferred way for AD). In this case, ‘ldap_username_pattern’ is used and it should take on the form “cn=<username>,dc=example,dc=com” where <username> will be replaced with whatever is provided at the login page.
  3. The UserAdmin app will always perform an LDAP search when manage LDAP entries and will then always use the “bind_dn”, “bind_password”, “base_dn”, etc. as defined in the hue.ini.
  4. At this point in time, there is no other bind semantics supported other than SIMPLE_AUTH. For instance, we do not yet support MD5-DIGEST, NEGOTIATE, etc. Though, we definitely want to hear from folks what they use so we can prioritize these things accordingly!

9.    Summary

The Hue team is working hard on improving security. Upcoming LDAP features include: Import nested LDAP groups and multidomain support for Active Directory. We hope this brief overview of LDAP in Hue will help you make your system more secure, more compliant with current security standards, and open up big data analysis to many more users!

As always, feel free to contact us at hue-user@ or @gethue!

This article was originally posted 7 months ago.

Tags: enterprise ldap

comments powered by Disqus

Blog Archive

Browse archive

Blog Tags