[jira] [Commented] (HDFS-14570) Bring back ability to totally disable webhdfs by bringing dfs.webhdfs.enabled property back into the hdfs-site.xml

Tue, 18 Jun 2019 12:02:15 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-14570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16866968#comment-16866968
 ] 

Scott A. Wehner commented on HDFS-14570:
----------------------------------------

In hadoop 2.x disabling webhdfs would provide a message "Path does not exist on 
HDFS or WebHDFS is disabled...." when going to the Utilities -> Browse the file 
system in the namenode UI regardless of file permissions in hdfs.  Now in 
hadoop 3 any user can down load files from hdfs using the same utility, even 
with OAuth2 enabled.  While the default value of dfs.permissions.umask-mode is 
022, this means that any unauthenicated user can download files from hdfs.  Can 
 there be a new property that can be set to stop the ability of browsing the 
file system from the namenode UI?  Disabling webhdfs used to do this on the 
dfsheath.html in hadoop 2, but hadoop 3 explorer.html still allows anonymous 
access regardless of OAuth2 settings.  This is what I'm wishing for.

> Bring back ability to totally disable webhdfs by bringing dfs.webhdfs.enabled 
> property back into the hdfs-site.xml
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-14570
>                 URL: https://issues.apache.org/jira/browse/HDFS-14570
>             Project: Hadoop HDFS
>          Issue Type: Wish
>          Components: webhdfs
>    Affects Versions: 3.0.0, 3.1.0, 3.0.1, 3.0.2, 3.2.0, 3.1.1, 3.0.3, 3.1.2
>            Reporter: Scott A. Wehner
>            Priority: Major
>              Labels: webhdfs
>   Original Estimate: 6h
>  Remaining Estimate: 6h
>
> We don't want to enable security for viewing namenode http page, but we don't 
> want people to be able to modify the contents of hdfs through anonymous 
> access to the namenode page.  in Hadoop 3 we lost the ability to totally 
> disable webhdfs.  want to bring this back, doesn't seem to hard to do, but 
> makes it important in our environment.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to