Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.0
    • Component/s: monitor
    • Labels:
      None

      Description

      ShellServlet is an obscure older feature in Accumulo's monitor which provides a shell-like interface in the browser. I say shell-like, because it never quite behaved the same as in a real terminal.

      For security, this feature was never activated unless a user took the time to set up X.509 certificates for trust and ran the monitor over HTTPS.

      I think we should remove this feature in 2.0.0. Here are some of my reasons:

      1. The feature is relatively obscure, with no out-of-box presence in the monitor.
      2. The code is complex and difficult to maintain or migrate to the templating strategies currently being developed by Luis Tavarez for the rest of ACCUMULO-3005.
      3. It has limited utility (a real shell is better).
      4. Users have many options for browser-based terminal emulators, ssh-clients, and more.
      5. It does not support Kerberos and other kinds of authentication that a real shell offers.
      6. There are a fair amount of security-related issues that can arise from this code, and it is probably not worth it to maintain over time, if it's not used frequently (protection against session-hijacking and CSRF token attacks, TLS/SSL downgrade attacks, and more). It's probably not worth exposing Accumulo user credentials to any browser.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ctubbsii Christopher Tubbs
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: