[jira] [Commented] (HDFS-5796) The file system browser in the namenode UI requires SPNEGO.

Tue, 03 Mar 2015 02:38:56 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14344890#comment-14344890
 ] 

Arun Suresh commented on HDFS-5796:
-----------------------------------

[~aw], [~wheat9],
I do agree that we need a rethink of the auth-filter. 

But there are actually 2 issues here :

*Issue 1* :
>From my analysis of the code, there are actually 3 filters that come into play 
>for the Namenode UI currently
# If the user follows this link for 
[web-console|http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html],
 the {{AuthenticationFilterInitializer}} class will initialize a third 
{{AuthenticationFilter}} for root (*/*) resource.
# If security is enabled, {{HttpServer2#initSpnego()}} will, in addition to the 
above... initilize an {{AuthenticationFilter}} for all urls
# The {{NamenodeHttpServer}} which actually uses the {{HttpServer2}}, will add 
an {{AuthFilter}} (which incidentally is a subclass of the above 
{{AutthenticationFilter}}) for all */webhdfs/v1* urls

I propose that the http-auth be initialized and configured only by the 
{{AuthenticationFilterInitializer}}.. and sub component may add other filters 
but should not be Authentication related.

If you guys are ok with the above, I am happy to put together a patch for this.

*Issue 2* :
What do we do about Client browsers that cannot handle SPNEGO (or if the users 
browser is outside the security infrastructure of the Cluster) ?
I still feel that (if configured), requests from browsers should be handled 
differently (via the use of the {{AltKerberosAuthFilter}}), possibly by 
allowing those requests to be authenticated as a special, configured proxy 
user. 

Again am happy to work on this, if you guys are are ok with this approach.

> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
>                 Key: HDFS-5796
>                 URL: https://issues.apache.org/jira/browse/HDFS-5796
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Kihwal Lee
>            Assignee: Arun Suresh
>            Priority: Blocker
>         Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch, 
> HDFS-5796.3.patch, HDFS-5796.3.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring 
> SPNEGO to work between user's browser and namenode.  This won't work if the 
> cluster's security infrastructure is isolated from the regular network.  
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to