[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318847#comment-14318847
]
Arun Suresh commented on HDFS-5796:
-----------------------------------
[~aw], Yup, you are correct..
HDFS-5716 does work as expected but this issue is a bit different. (Do correct
me if i am wrong) The current Web UI delegates to WebHDFS. If we use the
{{dfs.web.authentication.filter}} exposed by HDFS-5716, and set a filter that
does not SPNEGO authenticate, then ALL access to WebHDFS will be
un-authenticated. This is probably un-desirable.
What the current patch does is let WebHDFS use the default filter but the
AuthHandler detects Browser access via user-agent and forwards as a different
user. I guess the debate is whether to use a static user like the old
{{dr.who}} or maybe another user.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
