hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4737) Use CSRF Filter in YARN
Date Wed, 02 Mar 2016 13:11:18 GMT

    [ https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15175562#comment-15175562

Varun Vasudev commented on YARN-4737:

Thanks for the patch [~jmaron]. 

1) Can you please address the checkstyle, javadoc, and ASF license warnings in the pre-commit

2) Rename "yarn.resourcemanager.rest-csrf.*" to "yarn.resourcemanager.webapp.rest-csrf.*".
Similar changes for nodemanager and JHS as well. I also noticed that you haven't added CSRF
protection for the ATS. Is that going to be done in a follow up patch?

3) Currently the CSRF protection is enabled by
+        if (hasSpnegoConf && hasCSRFEnabled(params)) {
+          String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
+          HttpServer2.defineFilter(server.getWebAppContext(), restCsrfClassName,
+                                   restCsrfClassName, params, new String[] {"/*"});
+        }
which means that users with custom web auth cannot use the filter. Can we remove the hasSpnegoConf

> Use CSRF Filter in YARN
> -----------------------
>                 Key: YARN-4737
>                 URL: https://issues.apache.org/jira/browse/YARN-4737
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager, resourcemanager, webapp
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>         Attachments: YARN-4737.001.patch
> A CSRF filter was added to hadoop common (https://issues.apache.org/jira/browse/HADOOP-12691).
 The aim of this JIRA is to come up with a mechanism to integrate this filter into the webapps
for which it is applicable (web apps that may establish an authenticated identity).  That
includes the RM, NM, and mapreduce jobhistory web app.

This message was sent by Atlassian JIRA

View raw message