hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kanwaljeet Sachdev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15457) Add Security-Related HTTP Response Header in Yarn WEBUIs.
Date Fri, 11 May 2018 06:02:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16471515#comment-16471515
] 

Kanwaljeet Sachdev commented on HADOOP-15457:
---------------------------------------------

# Changed the component.
 # Made it static
 # Removed the unused group.
 # Changed it to matches
 # There is some historical context here where I found that HDFS-10579 added over-ride options.
The new mechanism if leveraged to use over-rides might break upgrade in some scenarios. To
minimize the impact, I moved the addition of header for xFrame into the newly added code but
decided to keep the params that come for this header the original way.
 # Fixed it.

> Add Security-Related HTTP Response Header in Yarn WEBUIs.
> ---------------------------------------------------------
>
>                 Key: HADOOP-15457
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15457
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>         Attachments: HADOOP-15457.001.patch, YARN-8198.001.patch, YARN-8198.002.patch,
YARN-8198.003.patch, YARN-8198.004.patch, YARN-8198.005.patch
>
>
> As of today, YARN web-ui lacks certain security related http response headers. We are
planning to add few default ones and also add support for headers to be able to get added
via xml config. Planning to make the below two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
>  
> Support for headers via config properties in core-site.xml will be along the below lines
> {code:java}
> <property>
>      <name>hadoop.http.header.Strict_Transport_Security</name>
>      <value>valHSTSFromXML</value>
>  </property>{code}
>  
> A regex matcher will lift these properties and add into the response header when Jetty
prepares the response.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message