[
https://issues.apache.org/jira/browse/ACCUMULO-4617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16023090#comment-16023090
]
Michael Miller commented on ACCUMULO-4617:
------------------------------------------
Ok I will take a look at IT.
> Remove ShellServlet
> -------------------
>
> Key: ACCUMULO-4617
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4617
> Project: Accumulo
> Issue Type: Sub-task
> Components: monitor
> Reporter: Christopher Tubbs
> Fix For: 2.0.0
>
>
> ShellServlet is an obscure older feature in Accumulo's monitor which provides
> a shell-like interface in the browser. I say shell-like, because it never
> quite behaved the same as in a real terminal.
> For security, this feature was never activated unless a user took the time to
> set up X.509 certificates for trust and ran the monitor over HTTPS.
> I think we should remove this feature in 2.0.0. Here are some of my reasons:
> # The feature is relatively obscure, with no out-of-box presence in the
> monitor.
> # The code is complex and difficult to maintain or migrate to the templating
> strategies currently being developed by [~lstav] for the rest of
> ACCUMULO-3005.
> # It has limited utility (a real shell is better).
> # Users have many options for browser-based terminal emulators, ssh-clients,
> and more.
> # It does not support Kerberos and other kinds of authentication that a real
> shell offers.
> # There are a fair amount of security-related issues that can arise from this
> code, and it is probably not worth it to maintain over time, if it's not used
> frequently (protection against session-hijacking and CSRF token attacks,
> TLS/SSL downgrade attacks, and more). It's probably not worth exposing
> Accumulo user credentials to any browser.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
