hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11308) Enable JMX to directly output JSON objects instead JSON strings
Date Mon, 23 Feb 2015 22:39:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334014#comment-14334014
] 

Haohui Mai commented on HADOOP-11308:
-------------------------------------

The problem of allowing output JSON string directly is that it might lead to potential cross
site scripting (CSS) vulnerability. Without this patch the JSON library and the APIs can guarantee
the JMX output is always well-formed. With this patch it is much harder to maintain this guarantee.
We have multiple issues on CSS in the past (e.g., HADOOP-6151, HADOOP-6441, a couple CSS in
the HDFS old UI)

My concern is that giving away the security defenses of CSS seems outweighs the benefits of
the patch. A safer approach might be providing an Jackson instance to generate the JSON --
that way the Jackson library can ensure that the JSON output is always well-formed.

bq. Do you mean the consumer of the JMX output ? They will get the output specified in https://issues.apache.org/jira/browse/HDFS-7390?focusedCommentId=14211474&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14211474

The JMX information can be also consumed by JConsole. I don't know how this patch can affect
this JConsole output and whether it breaks compatibility. See http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html


> Enable JMX to directly output JSON objects instead JSON strings
> ---------------------------------------------------------------
>
>                 Key: HADOOP-11308
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11308
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.5.1
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-11308.patch, HADOOP-11308.patch
>
>
> Currently many JMX beans provide Json content as strings.
> JMXJsonServlet outputs these as Json Strings.  This also results in losing the original
Json object structure.
> An example is given below:
> {code}
>   "TieredStorageStats" : "{\"ARCHIVE\":{\"capacityTotal\":1498254102528,\"capacityUsed\":12288,\"capacityRemaining\":980102602752,\"blockPoolUsed\":12288,\"nodesInService\":3,\"numBlocks\":0}...
> {code}
> {code}
>   "TieredStorageStats" : {"ARCHIVE":{"capacityTotal":1498254102528,"capacityUsed":12288,"capacityRemaining":980102602752,"blockPoolUsed":12288,"nodesInService":3,"numBlocks":0}...
> {code}
> In the former output {{TieredStorageStats}} maps to a JSON string while in the latter
one it maps to a JSON object.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message