[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14378550#comment-14378550
]
Haohui Mai commented on HDFS-5796:
----------------------------------
I played around with it a little bit. It looks like as long as the webhdfs
filter recognizes the auth cookie (which the browser will get from the server
when accessing the UI), the request can go through. Therefore I propose the
following solution:
* Revert the changes in HDFS-5716.
* Share the same signer / secret across the filter over the filter on UI and
{{AuthFilter}}
* {{AuthFilter}} continues to support SPNEGO to maintain backward compatibility.
Does it sound reasonable?
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Ryan Sasson
> Priority: Blocker
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch, HDFS-5796.4.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
