Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HDFS, mail # dev - Replacing the JSP web UIs to HTML 5 applications


Copy link to this message
-
Re: Replacing the JSP web UIs to HTML 5 applications
Colin McCabe 2013-11-01, 17:56
Right now, if you do a search on Google for dfshealth.jsp, you will
find many unsecured NameNode web UIs which were accidentally exposed
to the internet.  If the UIs were client-side, accessing these pages
would not work, since the client-side Javascript would fail to make
the JMX access.  Nearly all firewalls block JMX.  So in that sense,
the new UI is more secure, not less.

My understanding is that most cross-site scripting vulnerabilities
arise when the server uses data from the client in page display
without properly escaping it.  According to wikipedia, a persistent
XSS vulnerability arises "when the data provided by the attacker is
saved by the server, and then permanently displayed on 'normal' pages
returned to other users in the course of regular browsing, without
proper HTML escaping."  Nobody has proposed doing this on the
NameNode.

It seems to me that we are already exposed to any theoretical JMX
security vulnerabilities already, since we support JMX.  The
client-side UI just adds a convenient way of calling into the
pre-existing hooks.

My big concern, like I said earlier, is that we have reasonable
command-line tools.  I think this is a solvable problem.  Running
links in a terminal is not exactly the gold standard of command-line
excellence.  It would be a shame to block progress just to support
that.

Colin
On Wed, Oct 30, 2013 at 12:34 AM, Luke Lu <[EMAIL PROTECTED]> wrote:
> I don't think that we have reached a consensus that the new javascript only
> UI is the right direction to go. Most people considered it "interesting". I
> personally think it's inappropriate for core Hadoop UI, as it increases
> attack surface of the UI and taking away existing mitigation options from
> users unnecessarily. See my latest comments on HDFS-5333 for "concrete"
> examples.
>
> __Luke
>
>
> On Tue, Oct 29, 2013 at 11:28 AM, Haohui Mai <[EMAIL PROTECTED]> wrote:
>
>> I would like to summarize the discussions so far. It seems that we have
>> reached two consensus:
>>
>> 1. The new JavaScript-based UI is the right direction to go.
>> 2. For now we should keep the old JSP pages around for compatibility
>> reasons.
>>
>> There're some debates on the usages of the JMX / JSON APIs, but this is
>> orthogonal to switching the UI, thus I consider it as a technical detail.
>> We can continue the discussions in the public jira.
>>
>> The new UI has already landed in the trunk, based on the consensus it seems
>> that we can switch the default UI to the new one shortly. The user can
>> still access the old web UI using the same URLs.
>>
>> The only question remain is that who is going to maintain the old web UI.
>> My answer is that we should leave them as deprecated and focus the effort
>> on the new web UI.
>>
>> Thanks,
>> Haohui
>>
>>
>>
>> On Tue, Oct 29, 2013 at 5:22 AM, Zheng, Kai <[EMAIL PROTECTED]> wrote:
>>
>> > > having /JMX for monitoring integration and a /JSON end point for the UI
>> > IMHO, this makes sense, especially for the long term. JMX interface
>> serves
>> > as management console in admin perspective, WebUI serves as end user
>> > interface. Both might share same functionality codes, but that does not
>> > validate we couple them together.
>> >
>> > Thanks & regards,
>> > Kai
>> >
>> > -----Original Message-----
>> > From: Alejandro Abdelnur [mailto:[EMAIL PROTECTED]]
>> > Sent: Tuesday, October 29, 2013 8:14 AM
>> > To: [EMAIL PROTECTED]
>> > Subject: Re: Replacing the JSP web UIs to HTML 5 applications
>> >
>> > Isn't using JMX to expose JSON for the web UI misusing JMX?
>> >
>> > I would think a more appropriate approach would be having /JMX for
>> > monitoring integration and a /JSON end point for the UI data.
>> >
>> > Thanks.
>> >
>> >
>> > On Mon, Oct 28, 2013 at 4:58 PM, Haohui Mai <[EMAIL PROTECTED]>
>> wrote:
>> >
>> > > Alejandro,
>> > >
>> > > If I understand correctly, that is the exact approach that the new web
>> > > UI is taking. The new web UI takes the output from JMX and renders
>> > > them as HTML at the client side.