[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arun Suresh updated HDFS-5796:
------------------------------
Attachment: HDFS-5796.2.patch
[~wheat9], [~benoyantony], I apologize for the long delay and for sitting on
this for so long.
Considering the fact that it is difficult to porbably configure browser-side
SPNEGO plugins and given that all users HAVE to be authenticated.
Please find attached a patch with what I feel is a middle-ground proposal.
* Browser based access will be detected via user-agent and the request will be
preformed as a special _browser-proxy_ user.
* The above behavior has to be explicitly turned on via a new
*dfs.web.authentication.enable.browser.proxy* property
* In addition to the above, a _browser-proxy_ user HAS to be explicity
configured via the new *dfs.web.authentication.browser.proxy.principal* and
*dfs.web.authentication.browser.proxy.keytab* properties.
* The init method of the filter ensures that the provided _browser-proxy_
principal is valid and login-able.
This way, if the hdfs/cluster administrator so chooses, a special user can be
provisioned (or may choose an existing user/principal) and configured just for
browser based Web UI access.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
