Recent Security Enhancements

Hue has seen a slew of security improvements recently (from Hue 3.5). The most important ones have been enabling encryption when communicating with other services:

  1. Secure database connection (HUE-1638)

  2. HiveServer2 over SSL (HUE-1749)


In addition, several other security options have been added:

  1. Session timeout is now configurable (HUE-1528)

  2. Cookies can be secure (HUE-1529)

  3. HTTP only in session cookie if supported (HUE-1639)

  4. Allowed HTTP methods can be defined in the hue.ini

  5. Cipher list can be restricted when using SSL


Secure Database Connection

Connections vary depending on the database. Hue uses different clients to communicate with each database internally. They all specify a common interface known as the DBAPI version 2 interface. Client specific options, such as secure connectivity, can be passed through the interface. For example (MySQL):

[desktop]
  [[databases]]
   …
   options={"ssl":{"ca":"/tmp/ca-cert.pem"}}

HiveServer2 over SSL

By providing a CA certificate, private key, and public certificate, Hue can communicate with HiveServer2 over SSL. This is configurable in the hue.ini. For example:

[beeswax]
  [[ssl]]
  enabled=true
  cacerts=/etc/hue/cacerts.pem
  key=/etc/hue/key.pem
  cert=/etc/hue/key.pemkey=/etc/hue/publiccert.pem

HiveServer2 over Kerberos with LDAP authentication

HiveServer2 supports LDAP authentication with a client connecting under a Thrift connection with security. This means Hue can provide a LDAP password that will be used by HiveServer2 to authenticate Hue. The username is defaulting to ‘hue’ or the username of the Hue Kerberos ticket. This is configurable in the hue.ini. For example:

[desktop]
  ldap_password=MY_HUE_USER_LDAP_PASSWORD

Session Timeout

The session timeout can be set in the hue.ini at desktop->session->ttl. Example:

[desktop]
  [[session]]
  ttl=3600

Secure Cookies

Secure session cookies can be enabled in the hue.ini at desktop->session->secure. Example:

[desktop]
  [[session]]
  secure=true

The HTTPonly flag can be set via the hue.ini at desktop->session->http_only. Example:

[desktop]
  [[session]]
  http_only=true

Allowed HTTP Methods

Which HTTP request methods the server should respond to can be controlled via desktop->http_allowed_methods in the hue.ini. For example:

[desktop]
http_allowed_methods=options,get,head,post,put,delete,connect

Restricting the Cipher List

Cipher list support with HTTPS can be restricted via desktop->ssl_cipher_list in the hue.ini. The value is in cipher list format. For example:

[desktop]
ssl_cipher_list=DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2

URL redirect whitelist

Restrict to which domains or pages Hue can redirect the users.

[desktop]
redirect_whitelist=^http:\/\/www.mydomain.com\/.*$

The Hue team is working hard improving security. We hope these recent improvements make your system more secure and more compliant with security standards. As always, feel free to contact us at hue-user or @gethue.


This article was originally posted 8 months ago.

Tags: enterprise


comments powered by Disqus

Blog Archive

Browse archive

Blog Tags

loading...