Christopher Tubbs created ACCUMULO-4617:
-------------------------------------------
Summary: Remove ShellServlet
Key: ACCUMULO-4617
URL: https://issues.apache.org/jira/browse/ACCUMULO-4617
Project: Accumulo
Issue Type: Sub-task
Components: monitor
Reporter: Christopher Tubbs
Fix For: 2.0.0
ShellServlet is an obscure older feather in Accumulo's monitor which provides a
shell-like interface in the browser. I say shell-like, because it never quite
behaved the same as in a real terminal.
For security, this feature was never activated unless a user took the time to
set up X.509 certificates for trust and ran the monitor over HTTPS.
I think we should remove this feature in 2.0.0. Here are some of my reasons:
# The feature is relatively obscure, with no out-of-box presence in the monitor.
# The code is complex and difficult to maintain or migrate to the templating
strategies currently being developed by [~lstav] for the rest of ACCUMULO-3005.
# It has limited utility (a real shell is better).
# Users have many options for browser-based terminal emulators, ssh-clients,
and more.
# It does not support Kerberos and other kinds of authentication that a real
shell offers.
# There are a fair amount of security-related issues that can arise from this
code, and it is probably not worth it to maintain over time, if it's not used
frequently (protection against session-hijacking and CSRF token attacks,
TLS/SSL downgrade attacks, and more). It's probably not worth exposing Accumulo
user credentials to any browser.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
