hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Fri, 13 Feb 2015 00:04:14 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14319269#comment-14319269
] 

Haohui Mai edited comment on HDFS-5796 at 2/13/15 12:04 AM:
------------------------------------------------------------

bq. bq. HDFS-5716 seems like a bug rather than a feature at this point. 

I agree that HDFS-5716 is far from a perfect solution :-(. HDFS-5716 is more of a remedy solution
to unblock the 2.4 release if I remember correctly. The NN have different authentication filters
for WebHDFS and other HTTP contents, which is really confusing.

bq. That is incorrect. Permissions are checked as dr.who username. What version are you observing
this in specifically? That has never been the behaviour in any Apache release I've known since
0.20.2.

Thanks for the clarification. I just checked the code and you're right. Now I understand what
you're coming from.

However, I think it is a bad idea to add it into the filter. Does it make sense to just modify
the UI to issue a `GET_DELEGATION_TOKEN` call to get a token before browsing the filesystem?


was (Author: wheat9):
bq. That is incorrect. Permissions are checked as dr.who username. What version are you observing
this in specifically? That has never been the behaviour in any Apache release I've known since
0.20.2.

Thanks for the clarification. I just checked the code and you're right. Now I understand what
you're coming from.

However, I think it is a bad idea to add it into the filter. Does it make sense to just modify
the UI to issue a `GET_DELEGATION_TOKEN` call to get a token before browsing the filesystem?

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message