[
https://issues.apache.org/jira/browse/HDFS-5333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13805457#comment-13805457
]
Luke Lu commented on HDFS-5333:
-------------------------------
I have concerns with this client-side js only approach, which is less secure
than a progressively enhanced hybrid approach used by YARN. The recent gmail
XSS fiasco highlights the issue. I also have concerns that we commit these
changes without matching unit tests -- the fact you cannot effectively unit
test these changes should tell you something about this approach.
_Requiring_ JS means that an admin cannot turn off js to (partially) use core
Hadoop UI. You'd _require_ proper SSL (not self signed) setup to avoid JS
injection, even if security of js libraries used is perfect, which I doubt
(search gmail/linkedin XSS). Client side rendering completely breaks the
workflows for ops who rely on text based terminal/emacs/vim browsers (no js
support) to monitor component UI.
IMO, JS-only rendering belongs to social networking sites and/or SaaS
front-ends. I think eventually most users will use a self servicing UI in a
SaaS front-end that uses REST/JMX API to get data from back-end components,
besides their own app master/service UI. The priority/requirements for UI in
core Hadoop should be security and correctness, which client side templating
cannot address properly so far.
> Improvement of current HDFS Web UI
> ----------------------------------
>
> Key: HDFS-5333
> URL: https://issues.apache.org/jira/browse/HDFS-5333
> Project: Hadoop HDFS
> Issue Type: Improvement
> Affects Versions: 3.0.0
> Reporter: Jing Zhao
> Assignee: Haohui Mai
>
> This is an umbrella jira for improving the current JSP-based HDFS Web UI.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
