Return-Path: 
 <yarn-issues-return-80890-apmail-hadoop-yarn-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id ABD7718F2A
	for <apmail-hadoop-yarn-issues-archive@minotaur.apache.org>;
 Wed,  2 Mar 2016 13:11:18 +0000 (UTC)
Received: (qmail 13202 invoked by uid 500); 2 Mar 2016 13:11:18 -0000
Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org
Received: (qmail 13153 invoked by uid 500); 2 Mar 2016 13:11:18 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Reply-To: yarn-issues@hadoop.apache.org
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 13087 invoked by uid 99); 2 Mar 2016 13:11:18 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Mar 2016 13:11:18 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 3C6662C1F5D
	for <yarn-issues@hadoop.apache.org>; Wed,  2 Mar 2016 13:11:18 +0000 (UTC)
Date: Wed, 2 Mar 2016 13:11:18 +0000 (UTC)
From: "Varun Vasudev (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12944675.1456437135000.193932.1456924278244@Atlassian.JIRA>
In-Reply-To: <JIRA.12944675.1456437135000@Atlassian.JIRA>
References: <JIRA.12944675.1456437135000@Atlassian.JIRA>
 <JIRA.12944675.1456437135513@arcas>
Subject: [jira] [Commented] (YARN-4737) Use CSRF Filter in YARN
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15175562#comment-15175562 ] 

Varun Vasudev commented on YARN-4737:
-------------------------------------

Thanks for the patch [~jmaron]. 

1) Can you please address the checkstyle, javadoc, and ASF license warnings in the pre-commit build?

2) Rename "yarn.resourcemanager.rest-csrf.*" to "yarn.resourcemanager.webapp.rest-csrf.*". Similar changes for nodemanager and JHS as well. I also noticed that you haven't added CSRF protection for the ATS. Is that going to be done in a follow up patch?

3) Currently the CSRF protection is enabled by
{code}
+        if (hasSpnegoConf && hasCSRFEnabled(params)) {
+          String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
+          HttpServer2.defineFilter(server.getWebAppContext(), restCsrfClassName,
+                                   restCsrfClassName, params, new String[] {"/*"});
+        }
{code}
which means that users with custom web auth cannot use the filter. Can we remove the hasSpnegoConf check?

> Use CSRF Filter in YARN
> -----------------------
>
>                 Key: YARN-4737
>                 URL: https://issues.apache.org/jira/browse/YARN-4737
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager, resourcemanager, webapp
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>         Attachments: YARN-4737.001.patch
>
>
> A CSRF filter was added to hadoop common (https://issues.apache.org/jira/browse/HADOOP-12691).  The aim of this JIRA is to come up with a mechanism to integrate this filter into the webapps for which it is applicable (web apps that may establish an authenticated identity).  That includes the RM, NM, and mapreduce jobhistory web app.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)