[
https://issues.apache.org/jira/browse/HBASE-21090?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Duo Zhang updated HBASE-21090:
------------------------------
Fix Version/s: 4.0.0-alpha-1
(was: 3.0.0-beta-2)
> Default WebUI to read-only when cluster has kerberos authn but no webUI authn
> -----------------------------------------------------------------------------
>
> Key: HBASE-21090
> URL: https://issues.apache.org/jira/browse/HBASE-21090
> Project: HBase
> Issue Type: Improvement
> Components: UI
> Reporter: Josh Elser
> Assignee: Artem Ervits
> Priority: Minor
> Fix For: 4.0.0-alpha-1
>
>
> Was chatting with Artem about this. I think we can do a little bit better for
> default "security-related" configurations.
> We have the {{hbase.master.ui.readonly}} configuration property removes some
> options from the web UI that might change the state of the cluster (e.g.
> region distribution, snapshots). We default this to be {{false}} in all cases
> now.
> I suggest that when \{{hbase.security.authentication}}=kerberos but
> {{hbase.security.authentication.ui}}=null (undefined), we default
> {{hbase.master.ui.readonly=true}}. This would force users to opt-in to a
> scenario that may let an unauthenticated user manipulate the system (instead
> of opt-out).
> Artem also mentioned he thinks he could implement this, so assigning to him.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
