[
https://issues.apache.org/jira/browse/MAPREDUCE-3231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13136009#comment-13136009
]
Robert Joseph Evans commented on MAPREDUCE-3231:
------------------------------------------------
{quote}
users should be able to use their favorite language/framework for their AM UI,
especially when porting from existing apps
{quote}
That is a good point Porting a UI from existing applications would add in extra
overhead. But does open MPI have an existing GUI? Does Giraph or pig or most
of the other applications that are in the process of being ported have an
existing GUI? About the only one that I can think of is Twitter Storm, and
there has been no progress on that in quite a while, so I don't think it is
that big of a deal.
{quote}
Handling of raw HTML/CSS/JS is well studied by many in the industry (Caja,
OWASP and ModSecurity etc.)
{quote}
[Didn't you say that you don't trust
Caja|https://issues.apache.org/jira/browse/MAPREDUCE-2858?focusedCommentId=13128712&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13128712].
Why then didn't we go with a different library?
{quote}
Inventing a new security scheme is almost always a bad idea, even for security
experts. Having a trusted front-end with a special interpreter for your special
scheme is a recipe for disaster.
{quote}
So Wiki/Twiki are a bad idea? Because aren't they a trusted front-end with a
special interpreter for a special scheme? Yes it is not all about security,
but that is part of it because I would never go to Wikipedia if I thought I
could easily get a virus from it.
{quote}
Writing secure and trusted webapp is hard even for experts. People are still
finding security bugs in facebook and google years after they were created.
{quote}
Exactly so why do I want to let a user run code with security errors in it and
remove the possibility for me as the administrator of a cluster to fix those
errors in a timely manor. If you look at Pig with Oozie. Oozie requires that
the pig jars be placed in HDFS in a special directory so that they can be part
of the distributed cache for Oozie to run. Anyways from what I have seen in
the real world is that people don't think too much about the version of pig
that they put out there until there is a problem that makes their code not run.
I have seen very very old version of pig that are no longer supported being
run because there is no motivation to fix it.
> Improve Application Master And Job History UI Security
> ------------------------------------------------------
>
> Key: MAPREDUCE-3231
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3231
> Project: Hadoop Map/Reduce
> Issue Type: Improvement
> Components: mrv2
> Affects Versions: 0.23.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Attachments: AMWebSecurityProposal.pdf
>
>
> I propose a stripped down JSON based protocol for creating safe user generate
> web pages. This JIRA is intended first of all as a place for a discussion
> about this proposal, and then if there are no serious objections this will be
> an Umbrella JIRA to implement the changes proposed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
