[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14302490#comment-14302490
]
Haohui Mai commented on HDFS-5796:
----------------------------------
bq. Since this would be a real valid user, hdfs admin can apply normal access
grants / restrictions on this user..
I don't quite follow. Does the user need to able to read all files in the HDFS
cluster in order for the UI to work? What kinds of access controls do you plan
to apply on the particular user?
>From a security prospective, I think that it is a no-go if users that are
>using the browser and users that are using standard RPC interfaces are treated
>differently -- it can easily lead to misconfiguration and security
>vulnerabilities.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
