hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.
Date Tue, 03 Mar 2015 20:42:05 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14345703#comment-14345703

Allen Wittenauer commented on HDFS-5796:

bq. please correct me if Im wrong, but looking a the code in hadoop trunk, I don't think AltKerberos
is currently used.

It's existed for a very long time. We're using it in 2.4.1 on our secure clusters now. One
configures it in core-site.xml to enable it.

bq. So that we are on the same page, we agree using AltKerberos Handler is the right approach..
but I think we should agree on what exactly should be the alternate mechanism...

This stuff is (as typical) poorly documented, but that's the point of AltKerberos.  Users
can build their own filter mechanism to work alongside the SPNEGO one.  So if someone wants
to use (for example) OAuth, they just need to push that Implementation into their own jar
and configure it in core-site.xml. So if you wanted to, you could do the necessary Implementation
of the AltKerberos methods that said "we auth via SAML and anyone that fails gets Dr. Who".
 This we we don't have to dictate anything.  It probably would be useful, however, to have
a working AltKerberos example that does something real... but that's a different issue.

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, HDFS-5796.3.patch,
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring SPNEGO to work
between user's browser and namenode.  This won't work if the cluster's security infrastructure
is isolated from the regular network.  Moreover, SPNEGO is not supposed to be required for
user-facing web pages.

This message was sent by Atlassian JIRA

View raw message