hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Suresh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Thu, 12 Feb 2015 19:40:12 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318847#comment-14318847

Arun Suresh commented on HDFS-5796:

[~aw], Yup, you are correct..

HDFS-5716 does work as expected but this issue is a bit different. (Do correct me if i am
wrong) The current Web UI delegates to WebHDFS. If we use the {{dfs.web.authentication.filter}}
exposed by HDFS-5716, and set a filter that does not SPNEGO authenticate, then ALL access
to WebHDFS will be un-authenticated. This is probably un-desirable.

What the current patch does is let WebHDFS use the default filter but the AuthHandler detects
Browser access via user-agent and forwards as a different user. I guess the debate is whether
to use a static user like the old {{dr.who}} or maybe another user.

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.

This message was sent by Atlassian JIRA

View raw message