Echoing my comments on HDFS-3555: I have concerns with this client-side js only approach, which is less secure than a progressively enhanced hybrid approach used by YARN. The recent gmail XSS fiasco highlights the issue. I also have concerns that we commit these changes without matching unit tests – the fact you cannot effectively unit test these changes should tell you something about this approach.
*Requiring* JS means that an admin cannot turn off js to (partially) use core Hadoop UI. You'd *require* proper SSL (not self signed) setup to avoid JS injection, even if security of js libraries used is perfect, which I doubt (search gmail/linkedin XSS). Client side rendering completely breaks the workflows for ops who rely on text based terminal/emacs/vim browsers (no js support) to monitor component UI. IMO, JS-only rendering belongs to social networking sites and/or SaaS front-ends, where full time UI/security specialists babysits UI changes. I think eventually most users will use a self servicing UI in a SaaS front-end that uses REST/JMX API to get data from back-end components, besides their own app master/service UI. The priority/requirements for UI in core Hadoop should be security and correctness, which client side templating cannot address properly so far. On Tue, Oct 22, 2013 at 3:59 PM, Haohui Mai <h...@hortonworks.com> wrote: > Hi all, > > > Jing Zhao and I recently have reimplemented the JSP-based web UIs in HTML 5 > applications (HDFS-5333). Based on our prelimanary testing results we > believe thst the new web UIs of the namenodes and the datanode are ready > for everyday uses. > > You're more than welcome to try it out on trunk by visiting http:// > <namenode>/dfshealth.html > > There are a number of benefits from this transition. From a developer's > prospective, the most notable one is *maintainability*: > > (1) The abstractions between the UI and the core server are well-defined, > decoupling the UI and the core hadoop servers. > > (2) It allows us to deprecate the logic in the JSP pages. The old web UIs > have to duplicate the logic in the JSPs. The logic is often out-of-dated > and not well-tested, which leads to broken pages and security > vulnerabilities(e.g. HDFS-5251, HDFS-5307, HDFS-5308, HDFS-5317 and > HDFS-4901). The architecture of the new UIs prevent these bugs at the very > beginning. > > > I propose that deprecate the old, JSP-based web UIs in 2.3. I opened > HDFS-5402 to track the relevant discussions. > > Your feedbacks are highly appreciated. > > > Sincerely, > > Haohui > > -- > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are hereby notified that > any printing, copying, dissemination, distribution, disclosure or > forwarding of this communication is strictly prohibited. If you have > received this communication in error, please contact the sender immediately > and delete it from your system. Thank You. >
