hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Suresh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Wed, 11 Mar 2015 06:11:39 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356370#comment-14356370
] 

Arun Suresh commented on HDFS-5796:
-----------------------------------

bq.  I'm actually inclined to say no, since the other web elements are almost all strictly
interactive. In other words, if I'm using something like SAML for my normal web auth and only
have Kerberos deployed for internal hadoop stuff, there's no need to put a Kerberos filter
in front of those other UIs.
Currently, if you configure a different Auth filter via AuthFilterInitializer and a different
one (Kerb) for dfs.web.authentication, The user still has to go thru the Kerberos authentication..
Basically, the user has to pass thru the stricter scheme anyway.. So why not use a single
AuthenticationFilter as [~wheat9] suggested ?

Please Also note, as I mentioned in an earlier comment, the there is a THIRD filter involved
here which is initialized by {{HttpServer2#initSpnego()}}. This ends up being the same filter
as dfs.web.authentication, but a filter is still initialized none the less .. I feel this
should be removed.. either this JIRA or another. 

w.r.t to the patch
{noformat}
+        Reader reader = new InputStreamReader(new FileInputStream(
+            signatureSecretFile), Charsets.UTF_8);
+        int c = reader.read();
+        while (c > -1) {
+          secret.append((char)c);
+          c = reader.read();
+        }
+        reader.close();
+        p.setProperty(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
{noformat}
could be better written as 
{noformat}
secret = Files.readAllBytes(new File(secretFile).toPath())
{noformat}

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Ryan Sasson
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
HDFS-5796.3.patch, HDFS-5796.4.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message