hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harsh J (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Tue, 27 Jan 2015 11:48:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14293396#comment-14293396
] 

Harsh J commented on HDFS-5796:
-------------------------------

[~wheat9],

bq. This has been called out a security vulnerability. The user has to authenticate himself
/ herself before accessing any data in the cluster.

The goal of this JIRA is to allow flexibility like it existed in pre-bootstrap UI, where not
having web console authentication turned on also applied to the provided file browser. With
that in mind, I don't see how the static user concept proves itself as a vulnerability, cause
the user is already aware their web console is not authenticating anyone for anything, including
the web browser.

We have customers who need generic user (dr.who, etc. - this is configurable) file browsing
on the NN UI without authentication just as it had existed prior to the WebHDFS file browser
introduction, even though their kerberos authentication is turned on in the cluster.

Would that be OK to place back as a feature (turned off by default if needed), as the new
file browser has regressed?

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message