[jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.

Sun, 08 Feb 2015 21:34:31 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14311816#comment-14311816
 ] 

Arun Suresh commented on HDFS-5796:
-----------------------------------

[~wheat9],

bq. ... Does the user need to able to read all files in the HDFS cluster in 
order for the UI to work? What kinds of access controls do you plan to apply on 
the particular user?
So what I meant was, unlike before where *dr.who*, who not only is an 
un-authenticated user, but is also not a real HDFS recognized user (dr.who is 
not associated to any groups and thus cannot be ACL restricted / permission 
restricted on any folder) is able to access any file in HDFS... what I propose 
is a scheme where browser access is auto-authenticated (when turned-on 
explicitly) as an (explicitly configured) HDFS user associated with a group and 
thus can be ACL / permission restricted from viewing certain files / folders by 
the cluster admin.

bq. From a security prospective, I think that it is a no-go if users that are 
using the browser and users that are using standard RPC interfaces are treated 
differently – it can easily lead to misconfiguration and security 
vulnerabilities.
Wrt. Misconfiguration, I agree that it would be a security issue.. but I am 
infact reusing the existing {{AltKerberosAuthenticationHandler}} which does 
browser check based on user agent.. I would be happy to take a shot at fixing 
that up if you find any vulnerabilities in it. 

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, 
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring 
> SPNEGO to work between user's browser and namenode.  This won't work if the 
> cluster's security infrastructure is isolated from the regular network.  
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to