hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Isaacson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-3801) Provide a way to disable browsing of files from the web UI
Date Mon, 03 Dec 2012 21:07:58 GMT

    [ https://issues.apache.org/jira/browse/HDFS-3801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509045#comment-13509045
] 

Andy Isaacson commented on HDFS-3801:
-------------------------------------

Harsh,

What is the use case for this config option?  How would a cluster be configured so that this
feature would be useful?

On a quick read, it appears to me that this disables the simple http browsing feature, but
it doesn't appear that it actually prevents a simple HTTP client from retrieving the files.

If a cluster does not have Kerberos turned on, then any program that can connect to the HTTP
port of DN+NN can retrieve files from HDFS.  If this config option completely removes that
capability, then I could see it being useful.  If this config option merely obscures this
important security fact (but leaves the files available to a programatic interface), then
I don't think we should implement it.
                
> Provide a way to disable browsing of files from the web UI
> ----------------------------------------------------------
>
>                 Key: HDFS-3801
>                 URL: https://issues.apache.org/jira/browse/HDFS-3801
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: namenode
>    Affects Versions: 2.0.0-alpha
>            Reporter: Harsh J
>            Assignee: Harsh J
>            Priority: Minor
>         Attachments: HDFS-3801.patch
>
>
> A few times we've had requests from users who wish to disable browsing of the filesystem
in the web UI completely, while keeping other servlet functionality enabled (such as fsck,
etc.). Right now, the cheap way to do this is by blocking out the DN web port (50075) from
access by clients, but that also hampers HFTP transfers.
> We should instead provide a toggle config for the JSPs to use and disallow browsing if
the toggle's enabled. The config can be true by default, to not change the behavior.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message