hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sunil G (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.
Date Tue, 17 Oct 2017 04:36:02 GMT

    [ https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16206987#comment-16206987
] 

Sunil G commented on YARN-7338:
-------------------------------

UI2 is launched as a separate service context in same RM webserver. And UI2 is available in
{{<rm_ip>:<port>/ui2}} which serves just static pages. 

New YARN UI2 is a SPA (single page application) which downloads statics from  {{<rm_ip>:<port>/ui2}}.
And then onwards like any general REST client, browser which loaded UI2 statics will contact
RM and NM via server's secure REST end points. Hence UI2 does not impose any issues as of
today.

Hence I do not think we have to add these filters to UI2 or not. If its needed, we can add
filters to ui2 context also, but i would like to hear thoughts from all folks. [~leftnoteasy]
[~vrushalic] [~eyang] [~Sreenath] Please help to share your comments.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI)
to branch2  http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters setup for
existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to backporting
this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message