Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B911810B1A for ; Thu, 30 Jan 2014 15:26:30 +0000 (UTC) Received: (qmail 46773 invoked by uid 500); 30 Jan 2014 15:26:24 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 46525 invoked by uid 500); 30 Jan 2014 15:26:21 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 46333 invoked by uid 99); 30 Jan 2014 15:26:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jan 2014 15:26:12 +0000 Date: Thu, 30 Jan 2014 15:26:12 +0000 (UTC) From: "Daryn Sharp (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-5854) WebHDFS file browsing not working on secure cluster -or displaying meaningful errors MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-5854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13886657#comment-13886657 ] Daryn Sharp commented on HDFS-5854: ----------------------------------- Sidenote, one of the spnego patches I have available for webhdfs's http protocol violations will cause the body to contain "Authentication required". I do find it humorous that it currently appears to blame Jetty itself. :) I'm not disagreeing with the fallback because it doesn't make sense for the NN UI to depend on an optional service. I've been a bit dismayed about the direct reliance on webhdfs http calls because it's problematic when the NN UI is protected by a custom non-spnego auth filter - in our case and probably yours because desktop clients aren't configured to do spnego. Yet the UI references URL's that require spnego which the client cannot do. Perhaps the NN should be internally invoking the servlets to get the response direct webhdfs calls would return. That retains the cool new UI and allows flexibility for authentication. > WebHDFS file browsing not working on secure cluster -or displaying meaningful errors > ------------------------------------------------------------------------------------ > > Key: HDFS-5854 > URL: https://issues.apache.org/jira/browse/HDFS-5854 > Project: Hadoop HDFS > Issue Type: Bug > Components: webhdfs > Affects Versions: 2.4.0 > Environment: linux, kerberized 2.4.0 snapshot, commit #941ce6a > Reporter: Steve Loughran > Attachments: Screen Shot 2014-01-30 at 10.16.45.png > > > webhdfs is on by default and the new NN status UI is coming up (after setting the {{ 'dfs.web.authentication.kerberos.principal}} property -but the FS browser failing with error code 401 -unauth. > That's inevitably security related -somehow. But > # the principal is set -or does httpfs-site.xml need to be filled in too? > # if it is invalid, then some statement in the GUI should be provided -- This message was sent by Atlassian JIRA (v6.1.5#6160)