[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14359277#comment-14359277
]
Haohui Mai commented on HDFS-5796:
----------------------------------
I think there are multiple issues being discussed here and it makes it
difficult to follow. Let me try to recap and make sure everybody is on the same
page. Then we can discuss what needs to be done to unblock 2.7.
Problems:
* The UI and WebHDFS have different sets of authentication filters.
* The UI and WebHDFS uses different signers. Therefore UI auth filters does not
recognize the auth cookie generated WebHDFS auth filters, and vice versa.
* In secure set up, the old UI allows an anonymous user to be authenticated as
"dr.who", while WebHDFS never allows authentications like this.
* The new UI accesses the HDFS directories using WebHDFS, which does not allow
anonymous users to be authenticated as "dr.who". Thus anonymous users can no
longer browser HDFS.
Proposed solutions so far:
* Allow configurable WebHDFS authentication filter (in HDFS-5716). The users
can work around the problem using a customizable filter but it won't work out
of the box.
* Merging authentication filters -- proposed in HADOOP-10703. Users can
configure to use {{AltKerberosAuthenticationHandler}} for WebHDFS, so that the
anonymous users can be authenticated as "dr. who". The issue is that the user
can no longer be authenticated as itself.
* Getting a delegation token in the UI before issuing WebHDFS requests --
proposed in this jira. It unifies the security model for both UI and WebHDFS,
but it requires the auth filter for WebHdfs to be able to authenticate users as
dr.who and it requires changes in the UI.
* Unify the signer for both the UI and the WebHDFS filter -- proposed in this
jira. The UI can authenticate the user as dr.who, the WebHDFS auth filter can
authenticate the auth cookie and get the corresponding UGI. It requires minimal
changes but it needs confirmation whether it actually works.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Ryan Sasson
> Priority: Blocker
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch, HDFS-5796.4.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
