[
https://issues.apache.org/jira/browse/HDFS-5796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14387378#comment-14387378
]
Allen Wittenauer commented on HDFS-5796:
----------------------------------------
bq. What are the complex cases?
and
bq. I fail to see the merits of using AltKerberos for WebHDFS (yet).
... are directly related.
SPNEGO only works if a trust can be established between any/all relevant
realms. What if that trust can't be used (e.g., copying data between two
Hadoop systems owned by different companies)? What if Kerberos isn't being used
at all for user-side authentication?
See also HDFS-7983 and HDFS-7984.
This is a very real problem. We hit it every day.
> The file system browser in the namenode UI requires SPNEGO.
> -----------------------------------------------------------
>
> Key: HDFS-5796
> URL: https://issues.apache.org/jira/browse/HDFS-5796
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Kihwal Lee
> Assignee: Ryan Sasson
> Priority: Blocker
> Attachments: HDFS-5796.1.patch, HDFS-5796.1.patch, HDFS-5796.2.patch,
> HDFS-5796.3.patch, HDFS-5796.3.patch, HDFS-5796.4.patch
>
>
> After HDFS-5382, the browser makes webhdfs REST calls directly, requiring
> SPNEGO to work between user's browser and namenode. This won't work if the
> cluster's security infrastructure is isolated from the regular network.
> Moreover, SPNEGO is not supposed to be required for user-facing web pages.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
