[ https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14293396#comment-14293396 ]
Harsh J commented on HDFS-5796: ------------------------------- [~wheat9], bq. This has been called out a security vulnerability. The user has to authenticate himself / herself before accessing any data in the cluster. The goal of this JIRA is to allow flexibility like it existed in pre-bootstrap UI, where not having web console authentication turned on also applied to the provided file browser. With that in mind, I don't see how the static user concept proves itself as a vulnerability, cause the user is already aware their web console is not authenticating anyone for anything, including the web browser. We have customers who need generic user (dr.who, etc. - this is configurable) file browsing on the NN UI without authentication just as it had existed prior to the WebHDFS file browser introduction, even though their kerberos authentication is turned on in the cluster. Would that be OK to place back as a feature (turned off by default if needed), as the new file browser has regressed? > The file system browser in the namenode UI requires SPNEGO. > ----------------------------------------------------------- > > Key: HDFS-5796 > URL: https://issues.apache.org/jira/browse/HDFS-5796 > Project: Hadoop HDFS > Issue Type: Bug > Affects Versions: 2.5.0 > Reporter: Kihwal Lee > Assignee: Arun Suresh > Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, > HDFS-5796.3.patch, HDFS-5796.3.patch > > > After HDFS-5382, the browser makes webhdfs REST calls directly, requiring > SPNEGO to work between user's browser and namenode. This won't work if the > cluster's security infrastructure is isolated from the regular network. > Moreover, SPNEGO is not supposed to be required for user-facing web pages. -- This message was sent by Atlassian JIRA (v6.3.4#6332)