[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14217472#comment-14217472
]
Arun Suresh commented on HDFS-5796:
-----------------------------------
[~benoyantony],
The old Web UI used to allow browser based access as a _dr.who_ user that could
see/read world readable files irrespective of whether security was turned on or
off. After HDFS-5382, this was not possible, since the the browser request was
routed thru WebHDFS.. and on a secure cluster, WebHDFS required the client to
be SPNEGO authenticated. This cannot be expected of a user's browser that is
outside the cluster's security infrastructure and has no access to a KDC. Now
HDFS-5716 allows one to configure a user specified filter for WebHDFS that can
side step SPNEGO, but unfortunately this mean all requests from inside the
secure cluster will also forgo SPNEGO authentication.
My patch was for a (IMO) middle ground where experience of users switching from
the old Web UI is not severely degraded.. by allowing unauthenticated browser
based access as the configured _HTTP_ kerberos principal. In any case, many
browsers do not even support SPNEGO authentications, so authentication might
not even be possible..
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
