hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Suresh (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Sun, 25 Jan 2015 08:05:36 GMT

     [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Arun Suresh updated HDFS-5796:
    Attachment: HDFS-5796.2.patch

[~wheat9], [~benoyantony], I apologize for the long delay and for sitting on this for so long.

Considering the fact that it is difficult to porbably configure browser-side SPNEGO plugins
and given that all users HAVE to be authenticated.

Please find attached a patch with what I feel is a middle-ground proposal. 
* Browser based access will be detected via user-agent and the request will be preformed as
a special _browser-proxy_ user.
* The above behavior has to be explicitly turned on via a new *dfs.web.authentication.enable.browser.proxy*
* In addition to the above, a _browser-proxy_ user HAS to be explicity configured via the
new *dfs.web.authentication.browser.proxy.principal* and *dfs.web.authentication.browser.proxy.keytab*
* The init method of the filter ensures that the provided _browser-proxy_ principal is valid
and login-able.

This way, if the hdfs/cluster administrator so chooses, a special user can be provisioned
(or may choose an existing user/principal) and configured just for browser based Web UI access.

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.

This message was sent by Atlassian JIRA

View raw message