hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Sat, 07 Mar 2015 01:51:38 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351307#comment-14351307
] 

Allen Wittenauer commented on HDFS-5796:
----------------------------------------

bq. when security is enabled, WebHDFS by default picks up SPNEGO + KerberosAuthFilter. So
the UI works, but only when the browser is launched after a kinit. If I don't do a kinit,
I cannot browse files through the UI - this is the loss of functionality that is being discussed
here?

No.  The key point in that summary is "by default".  If you need something that isn't the
default, the whole system falls apart.  The fundamental problem is that if you use something
like the AltKerberos filter, it flat out doesn't work.  There two key problems we've noticed:

a) filter parameters don't get passed down to either AltK's SPNEGO filter or a user's custom
one
b) after we did some custom hacking, we noticed that cookie secret handling is broken.

Thus, using a browser to peruse HDFS is completely broken in 2.6 and up due to the removal
of the old UI.

bq. with HDFS-5716, you can turn the KerberosAuthFilter off and replace it with PseudoAuthFilter,
but then the UI as well as applications always thinks you are dr.who. So, I guess this is
not acceptable?

No.  HDFS-5716 just flat doesn't work in practice due to the above issues. It isn't reflective
of real world usage at all.  (.. and, believe me, we've tried to make it work without completely
rewriting the built-in AltKerberos filter.)

There's a very high chance that HADOOP-10709 might actually fix our issues, but the person
who was testing for me today went home ill. :(  So hopefully we'll try to verify on Monday.

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message