hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luke Lu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5333) Improvement of current HDFS Web UI
Date Fri, 25 Oct 2013 16:58:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13805457#comment-13805457

Luke Lu commented on HDFS-5333:

I have concerns with this client-side js only approach, which is less secure than a progressively
enhanced hybrid approach used by YARN. The recent gmail XSS fiasco highlights the issue. I
also have concerns that we commit these changes without matching unit tests -- the fact you
cannot effectively unit test these changes should tell you something about this approach.

_Requiring_ JS means that an admin cannot turn off js to (partially) use core Hadoop UI. You'd
_require_ proper SSL (not self signed) setup to avoid JS injection, even if security of js
libraries used is perfect, which I doubt (search gmail/linkedin XSS). Client side rendering
completely breaks the workflows for ops who rely on text based terminal/emacs/vim browsers
(no js support) to monitor component UI.

IMO, JS-only rendering belongs to social networking sites and/or SaaS front-ends. I think
eventually most users will use  a self servicing UI in a SaaS front-end that uses REST/JMX
API to get data from back-end components, besides their own app master/service UI. The priority/requirements
for UI in core Hadoop should be security and correctness, which client side templating cannot
address properly so far. 

> Improvement of current HDFS Web UI
> ----------------------------------
>                 Key: HDFS-5333
>                 URL: https://issues.apache.org/jira/browse/HDFS-5333
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>    Affects Versions: 3.0.0
>            Reporter: Jing Zhao
>            Assignee: Haohui Mai
> This is an umbrella jira for improving the current JSP-based HDFS Web UI. 

This message was sent by Atlassian JIRA

View raw message