Josh Elser created HBASE-21090:
----------------------------------
Summary: Default WebUI to read-only when cluster has kerberos
authn but no webUI authn
Key: HBASE-21090
URL: https://issues.apache.org/jira/browse/HBASE-21090
Project: HBase
Issue Type: Improvement
Components: UI
Reporter: Josh Elser
Assignee: Artem Ervits
Fix For: 3.0.0
Was chatting with Artem about this. I think we can do a little bit better for
default "security-related" configurations.
We have the {{hbase.master.ui.readonly}} configuration property removes some
options from the web UI that might change the state of the cluster (e.g. region
distribution, snapshots). We default this to be {{false}} in all cases now.
I suggest that when \{{hbase.security.authentication}}=kerberos but
{{hbase.security.authentication.ui}}=null (undefined), we default
{{hbase.master.ui.readonly=true}}. This would force users to opt-in to a
scenario that may let an unauthenticated user manipulate the system (instead of
opt-out).
Artem also mentioned he thinks he could implement this, so assigning to him.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
