[HBASE-21090] Default WebUI to read-only when cluster has kerberos authn but no webUI authn - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 3.0.0-beta-2
Component/s: UI
Labels:
None

Hadoop Flags:

Incompatible change

Description

Was chatting with Artem about this. I think we can do a little bit better for default "security-related" configurations.

We have the hbase.master.ui.readonly configuration property removes some options from the web UI that might change the state of the cluster (e.g. region distribution, snapshots). We default this to be false in all cases now.

I suggest that when hbase.security.authentication=kerberos but hbase.security.authentication.ui=null (undefined), we default hbase.master.ui.readonly=true. This would force users to opt-in to a scenario that may let an unauthenticated user manipulate the system (instead of opt-out).

Artem also mentioned he thinks he could implement this, so assigning to him.

Attachments

Activity

People

Assignee:: Artem Ervits

Reporter:: Josh Elser

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 21/Aug/18 17:19

Updated:: 16/Dec/23 09:45