[jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.

Fri, 06 Mar 2015 15:54:07 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351156#comment-14351156
 ] 

Vinod Kumar Vavilapalli commented on HDFS-5796:
-----------------------------------------------

Hey everyone,

I've been trying to understand the problem here, but it is a big wall of text. 
It'll be great if someone can help me. It seems like
 # when security is enabled, WebHDFS by default picks up SPNEGO + 
KerberosAuthFilter. So the UI works, but only when the browser is launched 
after a kinit. If I don't do a kinit, I cannot browse files through the UI - 
this is the loss of functionality that is being discussed here?
 # with HDFS-5716, you can turn the KerberosAuthFilter off and replace it with 
PseudoAuthFilter, but then the UI as well as applications always thinks you are 
dr.who. So, I guess this is not acceptable?
 # Is the patch trying to add (back) in a way to use KerberosAuthFilter for 
regular applications but use Dr.Who for browsers? And that is a security 
concern, so we don't want to put it back?

Going back to the title, "The file system browser in the namenode UI requires 
SPNEGO.". Seems like with HDFS-5716, you can set your own filter and so the 
discussion is really about the defaults?

Trying to gauge its priority for 2.7. Thanks.

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, 
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring 
> SPNEGO to work between user's browser and namenode.  This won't work if the 
> cluster's security infrastructure is isolated from the regular network.  
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to