hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Szilard Nemeth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15457) Add Security-Related HTTP Response Header in Yarn WEBUIs.
Date Fri, 11 May 2018 19:09:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472496#comment-16472496

Szilard Nemeth commented on HADOOP-15457:

1. Sure, I see why you left the other introduced constants as package-private, to be able
to access them from the tests.
2. Yes, the httpHeaderRegex could be also private, I missed that. Oh I see you really have
something else with the same name (regex string). I think the cleanest would be to differentiate
them, maybe using the "pattern" prefix for the pattern static field.
I checked some other occurences in the code for some static Patterns, most of them are with
uppercase letters, so I would vote for that.


> Add Security-Related HTTP Response Header in Yarn WEBUIs.
> ---------------------------------------------------------
>                 Key: HADOOP-15457
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15457
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kanwaljeet Sachdev
>            Assignee: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>         Attachments: HADOOP-15457.001.patch, YARN-8198.001.patch, YARN-8198.002.patch,
YARN-8198.003.patch, YARN-8198.004.patch, YARN-8198.005.patch
> As of today, YARN web-ui lacks certain security related http response headers. We are
planning to add few default ones and also add support for headers to be able to get added
via xml config. Planning to make the below two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
> Support for headers via config properties in core-site.xml will be along the below lines
> {code:java}
> <property>
>      <name>hadoop.http.header.Strict_Transport_Security</name>
>      <value>valHSTSFromXML</value>
>  </property>{code}
> A regex matcher will lift these properties and add into the response header when Jetty
prepares the response.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message