hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5076) YARN web interfaces lack XFS protection
Date Wed, 18 May 2016 16:38:13 GMT

    [ https://issues.apache.org/jira/browse/YARN-5076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289269#comment-15289269
] 

Varun Vasudev commented on YARN-5076:
-------------------------------------

Ah I think I misunderstood what you were saying. If I understand you correctly, you want the
following the configs -

# yarn.webapp.xfs-filter.enabled
# yarn.resourcemanager.webapp.xframe-options
# yarn.nodemanager.webapp.xframe-options
# yarn.timeline-service.webapp.xframe-options

Correct?

> YARN web interfaces lack XFS protection
> ---------------------------------------
>
>                 Key: YARN-5076
>                 URL: https://issues.apache.org/jira/browse/YARN-5076
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager, resourcemanager, timelineserver
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>         Attachments: YARN-5076.002.patch
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> There are web interfaces in YARN that do not provide protection against cross frame scripting
(https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet).  HADOOP-13008 provides
a common filter for addressing this vulnerability, so this filter should be integrated into
the YARN web interfaces.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message