In a previous post I covered a fix to a Microsoft provided custom script action to support installing Hue on HDInsight 3.5 clusters – I am happy to report that Microsoft have since updated the script. However, the script defaults to using the django backend for user authentication – which isn’t terribly useful, unless you want to have to maintain a separate set of accounts to your operating system. In a future post I will cover configuring Hue to use LDAP authentication but here I will be discussing PAM.
User Accounts
First off if you wish to use PAM to authenticate users, you will need to ensure you have created user accounts across the nodes in the cluster. This is where you’re better off using LDAP – or at least you would be if domain joined clusters were not in preview and currently only supported with “Hadoop” cluster types. That’s another point, Microsoft provides a number of different types of clusters but for some reason decided to label the one that only provides Hive, a Hadoop cluster.
Configuring Hue
Next you will need to edit the hue.ini configuration file under /usr/share/hue/desktop/conf/hue.ini
Under the [[auth]] section add the following line:
backend=desktop.auth.backend.PamBackend
This enables PAM authentication. In case you’ve used Hue before and are wondering the script action installs Hue 3.8.1, which only supports one authentication backend – so we can’t configure more. Note that if you’ve already logged into the Hue web interface and created you’re admin account – you will no longer be able to use it after this (there is a way to make a new user the admin via the command line which I will cover in another post).
Next you need to tell Hue which service to use when querying PAM:
pam_service=sudo sshd login
Here we configure multiple options
Following this you will have to restart Hue:
systemctl restart hue
PAM Error
The only problem is you still will be unable to login with an operating system user. After attempting to login if you run:
systemctl status hue
You will see an error message similar to the following:
pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
I was confused by this and couldn’t figure out what the problem was until I came across this post on stackexchange: https://unix.stackexchange.com/questions/66392/how-to-authenticate-a-user-with-pam-that-is-not-the-user-that-started-the-appli
Which indicated that this is because Hue runs as a normal user that does not have permission to access authentication data.
So how do we fix this? Well sadly I haven’t found a more secure way but to get around this you will need to run Hue as root by modify the systemd init file /etc/systemd/system/multi-user.target.wants/hue.service
Change User=hue to root.
Obviously it is less than ideal to run a web application as root as it means a vulnerability in the web application can be used to compromise the entire system. This is why you’re better off using LDAP.