Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F2B2310943 for ; Fri, 25 Oct 2013 16:58:41 +0000 (UTC) Received: (qmail 25663 invoked by uid 500); 25 Oct 2013 16:58:37 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 25619 invoked by uid 500); 25 Oct 2013 16:58:36 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 25514 invoked by uid 99); 25 Oct 2013 16:58:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Oct 2013 16:58:34 +0000 Date: Fri, 25 Oct 2013 16:58:34 +0000 (UTC) From: "Luke Lu (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-5333) Improvement of current HDFS Web UI MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-5333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13805457#comment-13805457 ] Luke Lu commented on HDFS-5333: ------------------------------- I have concerns with this client-side js only approach, which is less secure than a progressively enhanced hybrid approach used by YARN. The recent gmail XSS fiasco highlights the issue. I also have concerns that we commit these changes without matching unit tests -- the fact you cannot effectively unit test these changes should tell you something about this approach. _Requiring_ JS means that an admin cannot turn off js to (partially) use core Hadoop UI. You'd _require_ proper SSL (not self signed) setup to avoid JS injection, even if security of js libraries used is perfect, which I doubt (search gmail/linkedin XSS). Client side rendering completely breaks the workflows for ops who rely on text based terminal/emacs/vim browsers (no js support) to monitor component UI. IMO, JS-only rendering belongs to social networking sites and/or SaaS front-ends. I think eventually most users will use a self servicing UI in a SaaS front-end that uses REST/JMX API to get data from back-end components, besides their own app master/service UI. The priority/requirements for UI in core Hadoop should be security and correctness, which client side templating cannot address properly so far. > Improvement of current HDFS Web UI > ---------------------------------- > > Key: HDFS-5333 > URL: https://issues.apache.org/jira/browse/HDFS-5333 > Project: Hadoop HDFS > Issue Type: Improvement > Affects Versions: 3.0.0 > Reporter: Jing Zhao > Assignee: Haohui Mai > > This is an umbrella jira for improving the current JSP-based HDFS Web UI. -- This message was sent by Atlassian JIRA (v6.1#6144)