This article details how to store passwords in a script launched from the OS rather than have clear text passwords in the hue*.ini files.
Some passwords go in Hue ini configuration file making them easily visible to Hue admin user or by users of cluster management software. You can use the password_script feature to prevent passwords from being visible.
Prior to 3.8, Hue only supported clear text passwords in all the Hue configuration files. In 3.8, Hue added functionality that pulls the password by running a shell script and using the stdout from the shell script to get the password.
Instructions
Starting in 3.8, Hue now supports the ability to provide a password script in the hue.ini that outputs a password to stdout and Hue will use this password on startup instead of a clear text password in the hue.ini.
Any parameter that defines a password in the hue.ini can be replaced with the same parameter name with the addition of _script at the end of the parameter and set to a value that points to a shell script.
On startup, Hue runs the startup script and grabs the password from stdout. This is an example configuration:
[desktop] ldap_username=hueservice ldap_password_script="/var/lib/hue/hue_passwords.sh ldap_password" ssl_password_script="/var/lib/hue/hue_passwords.sh ssl_password" [[ldap]] bind_password_script="/var/lib/hue/hue_passwords.sh bind_password" [[database]] password_script="/var/lib/hue/hue_passwords.sh database"
The script should go in a location where it can be read and executed by only the hue user. You can have a script per password or a single script that takes parameters. Here is an example single script that takes parameters that matches the above config:
#!/bin/bash
SERVICE=$1
if [[ ${SERVICE} == "ldap_password" ]]
then
echo "password"
fi
if [[ ${SERVICE} == "ssl_password" ]]
then
echo "password"
fi
if [[ ${SERVICE} == "bind_password" ]]
then
echo "Password1"
fi
if [[ ${SERVICE} == "database_password" ]]
then
echo "password"
fi