[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351307#comment-14351307
]
Allen Wittenauer commented on HDFS-5796:
----------------------------------------
bq. when security is enabled, WebHDFS by default picks up SPNEGO +
KerberosAuthFilter. So the UI works, but only when the browser is launched
after a kinit. If I don't do a kinit, I cannot browse files through the UI -
this is the loss of functionality that is being discussed here?
No. The key point in that summary is "by default". If you need something that
isn't the default, the whole system falls apart. The fundamental problem is
that if you use something like the AltKerberos filter, it flat out doesn't
work. There two key problems we've noticed:
a) filter parameters don't get passed down to either AltK's SPNEGO filter or a
user's custom one
b) after we did some custom hacking, we noticed that cookie secret handling is
broken.
Thus, using a browser to peruse HDFS is completely broken in 2.6 and up due to
the removal of the old UI.
bq. with HDFS-5716, you can turn the KerberosAuthFilter off and replace it with
PseudoAuthFilter, but then the UI as well as applications always thinks you are
dr.who. So, I guess this is not acceptable?
No. HDFS-5716 just flat doesn't work in practice due to the above issues. It
isn't reflective of real world usage at all. (.. and, believe me, we've tried
to make it work without completely rewriting the built-in AltKerberos filter.)
There's a very high chance that HADOOP-10709 might actually fix our issues, but
the person who was testing for me today went home ill. :( So hopefully we'll
try to verify on Monday.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Priority: Blocker
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
