hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Tue, 03 Mar 2015 19:35:06 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14345589#comment-14345589

Allen Wittenauer commented on HDFS-5796:

bq. issue 1

If this fixes the fact that we can't pass configuration parameters to filters, then go for
it.  We've got a patch we're playing with as well, but no unit tests written for it.

bq. What do we do about Client browsers that cannot handle SPNEGO (or if the users browser
is outside the security infrastructure of the Cluster) ?

This is exactly the purpose of the AltKerberos filter and the one we're using.  It flips between
SPNENGO and non-SPNEGO auth based upon the browser string.  

bq. I still feel that (if configured), requests from browsers should be handled differently
(via the use of the AltKerberosAuthFilter), possibly by allowing those requests to be authenticated
as a special, configured proxy user. 

That's basically the same thing as "Sure, I live in a glass house, but I have security and
privacy because there is a lock on the door."

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.

This message was sent by Atlassian JIRA

View raw message