Security should definitely be in our minds big time. We think we need to add secure cookies to akka very soon (makes akka connections encrypted) and use encryption on the netty as well.
To that end, we should not introduce more loopholes now. We can add an upload/execute section to the dashboard, but it would need to be activated / deactivated by a flag in the cluster, so secure installations can suppress this functionality. I suggest to have it activated by default in standalone mode / YARN session mode, and deactivated by default in the YARN-per-job mode. On Thu, Nov 5, 2015 at 11:46 AM, Robert Metzger <rmetz...@apache.org> wrote: > I agree with Max, but still, its extremely convenient (and much easier than > crafting akka messages) to have a web interface which accepts jar files and > executes the main method ;) > > > On Thu, Nov 5, 2015 at 11:42 AM, Maximilian Michels <m...@apache.org> > wrote: > > > +1 The web client needs to go. > > > > I don't really see how how a submission page on the job manager would > make > > security worse. At the moment, anyone who sends an Akka message to the > job > > manager, can execute arbitrary code.. > > > > On Thu, Nov 5, 2015 at 11:16 AM, Flavio Pompermaier < > pomperma...@okkam.it> > > wrote: > > > > > +1 to remove the old web client in favor of an improved dashboard (not > so > > > urgent however) > > > > > > On Thu, Nov 5, 2015 at 11:11 AM, Robert Metzger <rmetz...@apache.org> > > > wrote: > > > > > > > Hi, > > > > I personally like the idea of allowing users to submit a job from the > > web > > > > interface a lot. In particular for users new to the system, its a > very > > > > convenient feature. > > > > We would also get rid of this ugly, old web client :) > > > > > > > > Regarding security: We can always add a configuration parameter which > > > > allows users to disable the feature. > > > > > > > > Please share the screenshot with us :) > > > > > > > > On Thu, Nov 5, 2015 at 10:08 AM, Sachin Goel < > sachingoel0...@gmail.com > > > > > > > wrote: > > > > > > > > > The current authentication mechanism is via htaccess, in the > > webclient. > > > > The > > > > > dashboard however isn't secured at all. > > > > > > > > > > -- Sachin Goel > > > > > Computer Science, IIT Delhi > > > > > m. +91-9871457685 > > > > > > > > > > On Thu, Nov 5, 2015 at 2:33 PM, Aljoscha Krettek < > > aljos...@apache.org> > > > > > wrote: > > > > > > > > > > > The reason why we didn’t want to have it in the JobManager > > interface > > > by > > > > > > default is that it could be a security concern. I also see, > > however, > > > > that > > > > > > security in general is not very strong right now. > > > > > > > > > > > > > On 05 Nov 2015, at 09:58, Matthias J. Sax <mj...@apache.org> > > > wrote: > > > > > > > > > > > > > > I like the idea in general! Not sure if integrating it into > > > > JobMangaer > > > > > > > Webinterface is good or not... What would be the pros/cons for > > > > > > > standalone vs. integrated? > > > > > > > > > > > > > > -Matthias > > > > > > > > > > > > > > On 11/05/2015 05:23 AM, Sachin Goel wrote: > > > > > > >> Hi all > > > > > > >> Are there any plans to upgrade the webclient interface? It > could > > > > > > certainly > > > > > > >> use an upgrade compared to the much better dashboard . > > > > > > >> If so, is integrating them into one the best way to go? We can > > > have > > > > a > > > > > > tab > > > > > > >> under Job Manager on the dashboard. > > > > > > >> > > > > > > >> I can share screenshots of the UI I designed last night, if > it's > > > > not a > > > > > > >> terrible idea to do this. :') > > > > > > >> > > > > > > >> Cheers! > > > > > > >> Sachin > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
