hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sushanth Sowmyan (JIRA)" <>
Subject [jira] [Updated] (HIVE-13853) Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
Date Tue, 07 Jun 2016 18:26:21 GMT


Sushanth Sowmyan updated HIVE-13853:
    Fix Version/s: 2.1.1

> Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
> -----------------------------------------------------
>                 Key: HIVE-13853
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2, WebHCat
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>              Labels: TODOC2.2
>             Fix For: 2.2.0, 2.1.1
>         Attachments: HIVE-13853.2.patch, HIVE-13853.patch
> There is a possibility that there may be a CSRF-based attack on various hadoop components,
and thus, there is an effort to add a block for all incoming http requests if they do not
contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)
> This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth
is used), and webhcat.
> We introduce new flags to determine whether or not we're using the filter, and if we
are, we will automatically reject any http requests which do not contain this header.
> To allow this to work, we also need to make changes to our JDBC driver to automatically
inject this header into any requests it makes. Also, any client-side programs/api not using
the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request
to make calls to HS2/WebHCat if this filter is enabled.

This message was sent by Atlassian JIRA

View raw message