[
https://issues.apache.org/jira/browse/HDFS-5402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13857748#comment-13857748
]
Haohui Mai commented on HDFS-5402:
----------------------------------
I think it might be worthwhile to start the conversation of deprecating the JSP
web UI again. There are several jiras (e.g., HDFS-5661 / HDFS-5673) suggests
that the design is broken in secure or HA set up:
# Redirection does not pass the HTTP authentication cookie along (as NN / DN
are in different origins), forcing the DN to go through spnego again. It might
not work for folks that implements their own authentication schemes.
# The URL contains the delegation token. The browser stores URL in its history.
Anyone that has the access to the history lists might be able to steal the
token.
# The URL in the DN's web UI contains the RPC address. There is a DFSClient in
DN's web UI that takes the address and reads the contents of the HDFS. On the
other hand, the JSP generates the web page merely based on the RPC address in
the URL. The page could be wrong if a failover happens during the period, or it
might lead to potential security vulnerabilities as there're no good ways for
the DN to verify the parameters.
Speaking of the lack of a text-based tool, I put up a tool that gets the
information from the JMX. The tool is availalbe at
https://github.com/haohui/dfshealth-cli. The tool is based on Node.js, but I do
have a Java version that can be easily integrated into trunk.
> Deprecate the JSP web uis in HDFS
> ---------------------------------
>
> Key: HDFS-5402
> URL: https://issues.apache.org/jira/browse/HDFS-5402
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Reporter: Haohui Mai
>
> This JIRA tracks the discussion of transitioning from old, JSP web UIs to the
> HTML 5 based web UIs.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
