hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-9711) Integrate CSRF prevention filter in WebHDFS.
Date Wed, 10 Feb 2016 01:50:18 GMT

    [ https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15140195#comment-15140195

Larry McCay commented on HDFS-9711:

Hi [~cnauroth] - Looks great! 
The effort to add a filter for webhdfs is greater than I anticipated.

a couple quick things:

* I like the refactoring for an isRequestAllowed method on the filter - I actually meant to
go back and do that earlier
* I notice that you have to return your own error message in the channelRead0 method of RestCsrfPreventionFilterHandler.
Perhaps, we should provide a constant for that in the filter too. As it stands now, the message
you return is slightly different and a bit more ambiguous then what is returned by the filter
itself (which is why I changed it).
* I'd also like to understand why the typical filter processing isn't being used in this code
path. Not because I think it should but I'd like to understand the usecase here.

> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>                 Key: HDFS-9711
>                 URL: https://issues.apache.org/jira/browse/HDFS-9711
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: datanode, namenode, webhdfs
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch, HDFS-9711.003.patch
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site
request forgery attacks.  This issue tracks integration of that filter in WebHDFS.

This message was sent by Atlassian JIRA

View raw message