hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sushanth Sowmyan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-13853) Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
Date Tue, 20 Sep 2016 22:55:20 GMT

    [ https://issues.apache.org/jira/browse/HIVE-13853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15508057#comment-15508057
] 

Sushanth Sowmyan commented on HIVE-13853:
-----------------------------------------

That is how I had started testing, but HS2 has some quirks on filter load time due to which
it has to be loaded explicitly at HS2 start time. Thus, this covers changes to HS2 start as
well, and not simply the filter.

> Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
> -----------------------------------------------------
>
>                 Key: HIVE-13853
>                 URL: https://issues.apache.org/jira/browse/HIVE-13853
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2, WebHCat
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>              Labels: TODOC2.1
>             Fix For: 2.1.0
>
>         Attachments: HIVE-13853.2.patch, HIVE-13853.patch
>
>
> There is a possibility that there may be a CSRF-based attack on various hadoop components,
and thus, there is an effort to add a block for all incoming http requests if they do not
contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)
> This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth
is used), and webhcat.
> We introduce new flags to determine whether or not we're using the filter, and if we
are, we will automatically reject any http requests which do not contain this header.
> To allow this to work, we also need to make changes to our JDBC driver to automatically
inject this header into any requests it makes. Also, any client-side programs/api not using
the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request
to make calls to HS2/WebHCat if this filter is enabled.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message