Description
ShellServlet is an obscure older feature in Accumulo's monitor which provides a shell-like interface in the browser. I say shell-like, because it never quite behaved the same as in a real terminal.
For security, this feature was never activated unless a user took the time to set up X.509 certificates for trust and ran the monitor over HTTPS.
I think we should remove this feature in 2.0.0. Here are some of my reasons:
- The feature is relatively obscure, with no out-of-box presence in the monitor.
- The code is complex and difficult to maintain or migrate to the templating strategies currently being developed by lstav for the rest of
ACCUMULO-3005. - It has limited utility (a real shell is better).
- Users have many options for browser-based terminal emulators, ssh-clients, and more.
- It does not support Kerberos and other kinds of authentication that a real shell offers.
- There are a fair amount of security-related issues that can arise from this code, and it is probably not worth it to maintain over time, if it's not used frequently (protection against session-hijacking and CSRF token attacks, TLS/SSL downgrade attacks, and more). It's probably not worth exposing Accumulo user credentials to any browser.