[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14315208#comment-14315208
]
Haohui Mai commented on HDFS-5796:
----------------------------------
bq. The goal, again, is to have what we had before. The user dr.who functioned
like the "others" user w.r.t. permissions, and did not have access to all
files. Likewise is expected with the approach here.
To clarify, in the old UI, dr.who does have read access of all files.
bq. The configuration is explicit. Can you clarify on what vulnerability adding
a static, non-existent user to the viewer brings?
Is the following true -- an attacker who does not have any read access of the
cluster is able to read some files through the UI, but not through the HDFS RPC.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
