[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14345589#comment-14345589
]
Allen Wittenauer commented on HDFS-5796:
----------------------------------------
bq. issue 1
If this fixes the fact that we can't pass configuration parameters to filters,
then go for it. We've got a patch we're playing with as well, but no unit
tests written for it.
bq. What do we do about Client browsers that cannot handle SPNEGO (or if the
users browser is outside the security infrastructure of the Cluster) ?
This is exactly the purpose of the AltKerberos filter and the one we're using.
It flips between SPNENGO and non-SPNEGO auth based upon the browser string.
bq. I still feel that (if configured), requests from browsers should be handled
differently (via the use of the AltKerberosAuthFilter), possibly by allowing
those requests to be authenticated as a special, configured proxy user.
That's basically the same thing as "Sure, I live in a glass house, but I have
security and privacy because there is a lock on the door."
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Priority: Blocker
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
