Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
HDFS >> mail # dev >> Replacing the JSP web UIs to HTML 5 applications


Copy link to this message
-
Re: Replacing the JSP web UIs to HTML 5 applications
Echo my comments on HDFS-5402:

bq. If we're going to remove the old web UI, I think the new web UI has
to have the same level of unit testing. We shouldn't go backwards in
terms of unit testing.

I take a look at TestNamenodeJspHelper / TestDatanodeJspHelper /
TestClusterJspHelper. It seems to me that we can merge these tests with the
unit tests on JMX.

bq. If we are going to
remove this capability, we need to add some other command-line tools
to get the same functionality. These tools could use REST if we have
that, or JMX, but they need to exist before we can consider removing
the old UI.

This is a good point. Since all information are available through JMX, the
easiest way to approach it is to write some scripts using Node.js. The
architecture of the new Web UIs is ready for this.
On Mon, Oct 28, 2013 at 3:57 PM, Alejandro Abdelnur <[EMAIL PROTECTED]>wrote:

> Producing JSON would be great. Agree with Colin that we should leave for
> now the current JSP based web ui.
>
> thx
>
>
> On Mon, Oct 28, 2013 at 11:16 AM, Colin McCabe <[EMAIL PROTECTED]
> >wrote:
>
> > This is a really interesting project, Haohui.  I think it will make
> > our web UI much nicer.
> >
> > I have a few concerns about removing the old web UI, however:
> >
> > * If we're going to remove the old web UI, I think the new web UI has
> > to have the same level of unit testing.  We shouldn't go backwards in
> > terms of unit testing.
> >
> > * Most of the deployments of elinks and links out there don't support
> > Javascript.  This is just a reality of life when using CentOS 5 or 6,
> > which many users are still using.  I have used "links" to diagnose
> > problems through the web UI in the past, in systems where access to
> > the cluster was available only through telnet.  If we are going to
> > remove this capability, we need to add some other command-line tools
> > to get the same functionality.  These tools could use REST if we have
> > that, or JMX, but they need to exist before we can consider removing
> > the old UI.
> >
> > best,
> > Colin
> >
> > On Fri, Oct 25, 2013 at 7:31 PM, Haohui Mai <[EMAIL PROTECTED]>
> wrote:
> > > Thanks for the reply, Luke. Here I just echo my response from the jira:
> > >
> > > bq. this client-side js only approach, which is less secure than a
> > > progressively enhanced hybrid approach used by YARN. The recent gmail
> > > XSS fiasco highlights the issue.
> > >
> > > I'm presenting an informal security analysis to compare the security of
> > the
> > > old and the new web UIs.
> > >
> > > An attacker launches an XSS attack by injecting malicious code which
> are
> > > usually HTML or JavaScript fragments into the web page, so that the
> > > malicious code can have the same privileges of the web page.
> > >
> > > First, in the scope of XSS attacks, note that the threat models of
> > > launching XSS attacks on Internet sites Gmail/Linkedin and the one of
> the
> > > Hadoop UIs are different. They have fundamental different sets of
> > external
> > > inputs that the attackers have control to. Internet sites have little
> > > control of these inputs. In the case of Gmail / Linkedin, an attack can
> > > send you a crafted e-mail, or put malicious description in his /
> > > her Linkedin profile. The sets of external inputs are *restricted* in
> > > Hadoop UIs. The new web UIs take JMX and WebHDFS as inputs. The
> > > attacker has to launch a XSS attack by:
> > >
> > > * Compromise the jars so that the output of JMX / WebHDFS have the
> > > malicious code.
> > > * Replace the web UIs completely to include the malicious code.
> > >
> > > In either case *the attacker has to compromise the hadoop core or the
> > > namenode*. That means the new web UIs are at least as secure as the
> > hadoop
> > > core, and the namenode machine.
> > >
> > > Second, I argue that using client-side templates are more secure than
> the
> > > current JSP-based server-side templates. To defend against XSS
> > > attacks, both techniques have to filter the external inputs at *every*

CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB