[jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.

Tue, 10 Mar 2015 23:12:08 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356370#comment-14356370
 ] 

Arun Suresh commented on HDFS-5796:
-----------------------------------

bq.  I'm actually inclined to say no, since the other web elements are almost 
all strictly interactive. In other words, if I'm using something like SAML for 
my normal web auth and only have Kerberos deployed for internal hadoop stuff, 
there's no need to put a Kerberos filter in front of those other UIs.
Currently, if you configure a different Auth filter via AuthFilterInitializer 
and a different one (Kerb) for dfs.web.authentication, The user still has to go 
thru the Kerberos authentication.. Basically, the user has to pass thru the 
stricter scheme anyway.. So why not use a single AuthenticationFilter as 
[~wheat9] suggested ?

Please Also note, as I mentioned in an earlier comment, the there is a THIRD 
filter involved here which is initialized by {{HttpServer2#initSpnego()}}. This 
ends up being the same filter as dfs.web.authentication, but a filter is still 
initialized none the less .. I feel this should be removed.. either this JIRA 
or another. 

w.r.t to the patch
{noformat}
+        Reader reader = new InputStreamReader(new FileInputStream(
+            signatureSecretFile), Charsets.UTF_8);
+        int c = reader.read();
+        while (c > -1) {
+          secret.append((char)c);
+          c = reader.read();
+        }
+        reader.close();
+        p.setProperty(AuthenticationFilter.SIGNATURE_SECRET, 
secret.toString());
{noformat}
could be better written as 
{noformat}
secret = Files.readAllBytes(new File(secretFile).toPath())
{noformat}

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Ryan Sasson
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, 
> HDFS-5796.3.patch, HDFS-5796.3.patch, HDFS-5796.4.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring 
> SPNEGO to work between user's browser and namenode.  This won't work if the 
> cluster's security infrastructure is isolated from the regular network.  
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to