hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8198) Add Security-Related HTTP Response Header in Yarn WEBUIs.
Date Wed, 09 May 2018 00:58:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16468188#comment-16468188

Robert Kanter commented on YARN-8198:

Thanks for the patch [~kanwaljeets].  

Some comments:
# I think we should move this to a HADOOP JIRA and retitle accordingly because it's really
changing Common code ({{HttpServer2}}), and not YARN specifically.  
# In {{#addHeaders}} we're currently compiling the regex each time this is called.  We can
move that {{Pattern}} to a static class variable as [~snemeth] said.
# Another point [~snemeth] mentioned is that the regex has two capturing groups, but we only
ever use the second one.  We can get rid of the first one.
# I think we should use {{matches(...)}} instead of {{find(...)}} on the regex in {{#addHeaders}}.
 {{find}} is meant for searching through a String multiple times, while {{matches}} is looking
at the whole String.  I'm not sure of the implementation details, but I imagine {{matches}}
might be faster because of that.  With {{find}}, we're only calling it once per String so
this isn't really a problem, but if we were to somehow call it multiple times, it would actually
pass on a String like {{"hadoop.http.header.foo.hadoop.http.header.bar"}} and group 2 would
be {{"foo"}} and then {{"bar"}}.
# In {{initializeWebServer}}, we have:
    Map<String, String> xFrameParams = new HashMap<>();
    xFrameParams.put(X_FRAME_VALUE,  this.xFrameOption.toString());
    setHeaders(conf, xFrameParams);
{{setHeaders}} adds in "default headers" and then all the "{{hadoop.http.headers.*}}" headers.
 This means that we're doing this order: (1) XFrame, (2) default, (3) user-specified.  Shouldn't
we move the XFrame headers into {{setHeaders}} and have the default ones go first?  Really,
shouldn't the XFrame headers be part of the default headers?
## Similarly, in {{doFilter}}, the XFrame headers are handled separately from the rest of
them (which use {{addHeaders(...)}}.  It would be cleaner if we were to make all headers behave
the same way with the same code.  
## Further on that point, in {{initializeWebServer}} we set that {{X_FRAME_ENABLED}} to a
boolean String, and then in {{doFilter}}, we add the {{X_FRAME}} header if it's {{"true"}}.
 Using your new code, we should be able to just check this once in {{initializeWebServer}}
and simply add or omit the {{X_FRAME}} header itself accordingly.
# The {{testHttpResponseCustomtHeaders}} test has a typo, it should be {{testHttpResponseCustomHeaders}}.

> Add Security-Related HTTP Response Header in Yarn WEBUIs.
> ---------------------------------------------------------
>                 Key: YARN-8198
>                 URL: https://issues.apache.org/jira/browse/YARN-8198
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>            Reporter: Kanwaljeet Sachdev
>            Assignee: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>         Attachments: YARN-8198.001.patch, YARN-8198.002.patch, YARN-8198.003.patch, YARN-8198.004.patch,
> As of today, YARN web-ui lacks certain security related http response headers. We are
planning to add few default ones and also add support for headers to be able to get added
via xml config. Planning to make the below two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
> Support for headers via config properties in core-site.xml will be along the below lines
> {code:java}
> <property>
>      <name>hadoop.http.header.Strict_Transport_Security</name>
>      <value>valHSTSFromXML</value>
>  </property>{code}
> A regex matcher will lift these properties and add into the response header when Jetty
prepares the response.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message