[jira] [Commented] (HDFS-5661) Browsing FileSystem via web ui, should use datanode's hostname instead of ip address

Fri, 13 Dec 2013 16:05:40 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-5661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13848085#comment-13848085
 ] 

Jing Zhao commented on HDFS-5661:
---------------------------------

In AuthFilter#doFilter, we have the following code:
{code}
public void doFilter(ServletRequest request, ServletResponse response,
      FilterChain filterChain) throws IOException, ServletException {
    final HttpServletRequest httpRequest = 
toLowerCase((HttpServletRequest)request);
    final String tokenString = httpRequest.getParameter(DelegationParam.NAME);
    if (tokenString != null) {
      //Token is present in the url, therefore token will be used for
      //authentication, bypass kerberos authentication.
      filterChain.doFilter(httpRequest, response);
      return;
    }
    super.doFilter(httpRequest, response, filterChain);
  }
{code}

In DatanodeJspHelper#generateDirectoryStructure, we have 
{code}
    String tokenString = req.getParameter(JspHelper.DELEGATION_PARAMETER_NAME);
    UserGroupInformation ugi = JspHelper.getUGI(req, conf);
    .....
    DFSClient dfs = getDFSClient(ugi, nnAddr, conf);
{code}

So I think here the whole process is:
1. NN generates DT and put the DT into the redirect URL
2. DN receives the redirect request, finds that there is DT in the request, 
thus the corresponding SPNEGO filter will bypass the auth check
3. DN uses the DT and files a getFileInfo RPC call to NN
4. DN shows the result to web ui

> Browsing FileSystem via web ui, should use datanode's hostname instead of ip 
> address
> ------------------------------------------------------------------------------------
>
>                 Key: HDFS-5661
>                 URL: https://issues.apache.org/jira/browse/HDFS-5661
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.2.0
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HDFS-5661.patch
>
>
> If authentication is enabled on the web ui, then a cookie is used to keep 
> track of the authentication information. There is normally a domain 
> associated with the cookie. Since ip address doesn't have any domain , the 
> cookie will not be sent by the browser while making http calls with ip 
> address as the destination server.
> This will break browsing files system via web ui , if authentication is 
> enabled.
> Browsing FileSystem via web ui, should use datanode's hostname instead of ip 
> address. 



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Reply via email to