hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4737) Use CSRF Filter in YARN
Date Thu, 03 Mar 2016 09:20:18 GMT

    [ https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15177543#comment-15177543
] 

Varun Vasudev commented on YARN-4737:
-------------------------------------

Thanks for the updated patch Jon. Some more fixes required -

1) In WebApps.java -
{code}
+        Map<String, String> params = getCsrfConfigParameters();
+        if (hasCSRFEnabled(params)) {
+          LOG.info("CSRF Protection has been enabled for the {} application. "
+                  + "Please ensure that there is an authentication mechanism "
+                  + "enabled (kerberos, custom, etc).",
+              name);
+          String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
+          HttpServer2.defineFilter(server.getWebAppContext(), restCsrfClassName,
+              restCsrfClassName, params,
+              new String[] {"/*"});
+        }
{code}
should be before
{code}
         HttpServer2.defineFilter(server.getWebAppContext(), "guice",
           GuiceFilter.class.getName(), null, new String[] { "/*" });
{code}

The guice filter redirects the request to the appropriate handler and the requests get executed
before going through the CSRF filter.

2) The JHS configs in mapred-default.xml start with the prefix - mapreduce.jobhistory.webapp
but the prefix used in code is mapreduce.jobhistory (no webapp) - I think you need to create
a mapreduce.jobhistory.webapp prefix in the code.

3) In yarn-default.xml, all the timeline service configs have an extra "." in them after "yarn.timeline-service".
e.g. yarn.timeline-service..webapp.rest-csrf.methods-to-ignore

The failing tests and ASF warnings are unrelated to the patch.

> Use CSRF Filter in YARN
> -----------------------
>
>                 Key: YARN-4737
>                 URL: https://issues.apache.org/jira/browse/YARN-4737
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager, resourcemanager, webapp
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>         Attachments: YARN-4737.001.patch, YARN-4737.002.patch
>
>
> A CSRF filter was added to hadoop common (https://issues.apache.org/jira/browse/HADOOP-12691).
 The aim of this JIRA is to come up with a mechanism to integrate this filter into the webapps
for which it is applicable (web apps that may establish an authenticated identity).  That
includes the RM, NM, and mapreduce jobhistory web app.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message