Return-Path: <dev-return-136243-archive-asf-public=cust-asf.ponee.io@hive.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 99997200A5B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 25 May 2016 21:30:26 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 98558160A29; Wed, 25 May 2016 19:30:26 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 11F96160A0F
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 25 May 2016 21:30:25 +0200 (CEST)
Received: (qmail 28895 invoked by uid 500); 25 May 2016 19:14:13 -0000
Mailing-List: contact dev-help@hive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hive.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hive.apache.org>
List-Post: <mailto:dev@hive.apache.org>
List-Id: <dev.hive.apache.org>
Reply-To: dev@hive.apache.org
Delivered-To: mailing list dev@hive.apache.org
Received: (qmail 28850 invoked by uid 99); 25 May 2016 19:14:13 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 May 2016 19:14:13 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id D3BB62C1F56
	for <dev@hive.apache.org>; Wed, 25 May 2016 19:14:12 +0000 (UTC)
Date: Wed, 25 May 2016 19:14:12 +0000 (UTC)
From: "Sushanth Sowmyan (JIRA)" <jira@apache.org>
To: dev@hive.apache.org
Message-ID: <JIRA.12972824.1464203597000.293431.1464203652864@Atlassian.JIRA>
In-Reply-To: <JIRA.12972824.1464203597000@Atlassian.JIRA>
References: <JIRA.12972824.1464203597000@Atlassian.JIRA> <JIRA.12972824.1464203597060@arcas>
Subject: [jira] [Created] (HIVE-13853) Add X-XSRF-Header filter to HS2 HTTP
 mode and WebHCat
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 25 May 2016 19:30:26 -0000

Sushanth Sowmyan created HIVE-13853:
---------------------------------------

             Summary: Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
                 Key: HIVE-13853
                 URL: https://issues.apache.org/jira/browse/HIVE-13853
             Project: Hive
          Issue Type: Bug
          Components: HiveServer2, WebHCat
            Reporter: Sushanth Sowmyan
            Assignee: Sushanth Sowmyan


There is a possibility that there may be a CSRF-based attack on various hadoop components, and thus, there is an effort to add a block for all incoming http requests if they do not contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)

This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth is used), and webhcat.

We introduce new flags to determine whether or not we're using the filter, and if we are, we will automatically reject any http requests which do not contain this header.

To allow this to work, we also need to make changes to our JDBC driver to automatically inject this header into any requests it makes. Also, any client-side programs/api not using the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request to make calls to HS2/WebHCat if this filter is enabled.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)