Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1A1B6D201 for ; Mon, 3 Dec 2012 21:07:59 +0000 (UTC) Received: (qmail 27302 invoked by uid 500); 3 Dec 2012 21:07:58 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 27274 invoked by uid 500); 3 Dec 2012 21:07:58 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 27264 invoked by uid 99); 3 Dec 2012 21:07:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Dec 2012 21:07:58 +0000 Date: Mon, 3 Dec 2012 21:07:58 +0000 (UTC) From: "Andy Isaacson (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: <1410177800.55095.1354568878889.JavaMail.jiratomcat@arcas> In-Reply-To: <1843131115.5955.1344920017965.JavaMail.jiratomcat@arcas> Subject: [jira] [Commented] (HDFS-3801) Provide a way to disable browsing of files from the web UI MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-3801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509045#comment-13509045 ] Andy Isaacson commented on HDFS-3801: ------------------------------------- Harsh, What is the use case for this config option? How would a cluster be configured so that this feature would be useful? On a quick read, it appears to me that this disables the simple http browsing feature, but it doesn't appear that it actually prevents a simple HTTP client from retrieving the files. If a cluster does not have Kerberos turned on, then any program that can connect to the HTTP port of DN+NN can retrieve files from HDFS. If this config option completely removes that capability, then I could see it being useful. If this config option merely obscures this important security fact (but leaves the files available to a programatic interface), then I don't think we should implement it. > Provide a way to disable browsing of files from the web UI > ---------------------------------------------------------- > > Key: HDFS-3801 > URL: https://issues.apache.org/jira/browse/HDFS-3801 > Project: Hadoop HDFS > Issue Type: Improvement > Components: namenode > Affects Versions: 2.0.0-alpha > Reporter: Harsh J > Assignee: Harsh J > Priority: Minor > Attachments: HDFS-3801.patch > > > A few times we've had requests from users who wish to disable browsing of the filesystem in the web UI completely, while keeping other servlet functionality enabled (such as fsck, etc.). Right now, the cheap way to do this is by blocking out the DN web port (50075) from access by clients, but that also hampers HFTP transfers. > We should instead provide a toggle config for the JSPs to use and disallow browsing if the toggle's enabled. The config can be true by default, to not change the behavior. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira