[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14293396#comment-14293396
]
Harsh J commented on HDFS-5796:
-------------------------------
[~wheat9],
bq. This has been called out a security vulnerability. The user has to
authenticate himself / herself before accessing any data in the cluster.
The goal of this JIRA is to allow flexibility like it existed in pre-bootstrap
UI, where not having web console authentication turned on also applied to the
provided file browser. With that in mind, I don't see how the static user
concept proves itself as a vulnerability, cause the user is already aware their
web console is not authenticating anyone for anything, including the web
browser.
We have customers who need generic user (dr.who, etc. - this is configurable)
file browsing on the NN UI without authentication just as it had existed prior
to the WebHDFS file browser introduction, even though their kerberos
authentication is turned on in the cluster.
Would that be OK to place back as a feature (turned off by default if needed),
as the new file browser has regressed?
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Arun Suresh
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
