How to programmatically set permissions to a group?

[oskotsky]

After upgrading to Hue 4.7 we have to (1) create a group, (2) explicitly assign a non-admin user to a group, and (3) set group permissions (was not the case with Hue 4.4). Some of this can be done programmatically:

1. assign a user to the Linux group
2. use useradmin_sync_with_unix to create hue user with the correct group assigned

However, I can't find a way to do (3): programmatically set permissions to a group. What is a programmatic way to do this? This can be done over GUI but we are running Hue on the cloud (fluid cluster) and everything has to be automated. Please advise.

[romainr]

This one is not the simplest as not with a clean public API, but as you said the UI is using the private API to offer this.

They are two ways: https://docs.gethue.com/developer/api/

By re-engineering of the POST calls (load/save groups) via the Chrome console or building a small Python code/command that calls the views() https://github.com/cloudera/hue/blob/master/apps/useradmin/src/useradmin/views.py#L519 (which contains the logic, it is not in a dedicated lib unfortunately).

Feel free to ask for more clarifying questions, and this is something that we will be happy to help document/push upstream afterwards.

[oskotsky]

Hi Romain,
Sounds good. I can embed your example into my code. Unfortunately, I am totally newbie with web development and will need your help with the last call. Would you please show me an example of a restful command (PUT) setting desired permissions to a group of my choice? For example, a group called "spark-user" should get permissions "spark" and "jobbrowser"? So this group will be able to run spark-sql snippet in Hue?

Thank you in advance.

[oskotsky]

#!/bin/env bash

set -eu

host="localhost"
port="8888"
credentials="/home/hadoop/hue-config/hue_access_admin.txt"
user="admin"
protocol="http"

password=$(cat /home/hadoop/hue-config/hue_access_admin.txt | sed -n 's/admin:(.*)/\1/p')

curl ${protocol}://${host}:${port}/hue/accounts/login/?fromModal=true -o /dev/null -D - -c cookies.txt -s
x_csrftoken=$(grep csrftoken cookies.txt | cut -f 7)

curl -i -X POST ${protocol}://${host}:${port}/hue/accounts/login/?fromModal=true -d "username=${user}&password=${password}" -o /dev/null -D - -c cookies.txt -b cookies.txt -H "X-CSRFToken: ${x_csrftoken}" -s
x_csrftoken=$(grep csrftoken cookies.txt | cut -f 7)

curl -X POST ${protocol}://${host}:${port}/useradmin/groups/edit/spark02-user -d "csrfmiddlewaretoken=${x_csrftoken}&name=spark02-user&permissions=1&permissions=2&is_embeddable=true", -b cookies.txt -H "X-CSRFToken: ${x_csrftoken}"

[romainr]

👍

We could add it to https://docs.gethue.com/administrator/administration/user-management/ as example?

[oskotsky]

If you think it would be useful for people - please do.
Here is an updated version - more generalized, and adding users to a group included.

#!/bin/env bash

set -eu

host="localhost"
port="8888"
credentials="/home/hadoop/hue-config/hue_access_admin.txt" # password file
user="admin"
protocol="http"
group_name="spark02-user"
permissions_id1="10" # jobbrowser.access
permissions_id2="18" # spark.access
list_of_users="members=10&members=9&members=4" # number here is an order number for a user in the list of users

password=$(cat /home/hadoop/hue-config/hue_access_admin.txt | sed -n 's/admin:(.*)/\1/p')

curl ${protocol}://${host}:${port}/hue/accounts/login/?fromModal=true -o /dev/null -D - -c cookies.txt -s
x_csrftoken=$(grep csrftoken cookies.txt | cut -f 7)

curl -i -X POST ${protocol}://${host}:${port}/hue/accounts/login/?fromModal=true -d "username=${user}&password=${password}" -o /dev/null -D - -c cookies.txt -b cookies.txt -H "X-CSRFToken: ${x_csrftoken}" -s
x_csrftoken=$(grep csrftoken cookies.txt | cut -f 7)

curl -X POST ${protocol}://${host}:${port}/useradmin/groups/edit/${group_name}
-d "csrfmiddlewaretoken=${x_csrftoken}&name=${group_name}&permissions=${permissions_id1}&permissions=${permissions_id2}&${list_of_users}&is_embeddable=true",
-b cookies.txt -H "X-CSRFToken: ${x_csrftoken}"

[romainr]

Thanks @oskotsky !

Added to the docs via #1539