[jira] [Commented] (KNOX-48) Cluster topology must not be exposed in datanode redirect query parameters

Mon, 16 Sep 2013 12:13:58 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-48?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13768636#comment-13768636
 ] 

ASF subversion and git services commented on KNOX-48:
-----------------------------------------------------

Commit 1c2727cc27d851f9d97813cb056f85e3a6fb9526 in branch refs/heads/master 
from [~lmccay]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-knox.git;h=1c2727c ]

KNOX-48 added the use of the CryptoService to encrypt and decrypt secure URL 
query strings.
                
> Cluster topology must not be exposed in datanode redirect query parameters
> --------------------------------------------------------------------------
>
>                 Key: KNOX-48
>                 URL: https://issues.apache.org/jira/browse/KNOX-48
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>    Affects Versions: 0.2.0
>            Reporter: Kevin Minder
>            Assignee: Kevin Minder
>             Fix For: 0.4.0
>
>
> From BUG-4326
> Currently when the Location header in a redirect from WebHDFS is rewritten to 
> store the host and port of the datanode in user visible query parameters. 
> These values should not be user visible as this exposes the topology of the 
> Hadoop cluster. These values should be encrypted. The suggestion is to 
> encrypt and base64 encode a set query params that are placed on the user 
> visible URL with a special query param. For example:
> ...?op=CREATE&_=<base64>
> where the <based64> would decode and decrypt into something like
> datanode.host=<hostname>&datanode.port=<port>
> The example exposed param name (i.e. '_') and hidden params (i.e. 
> datanode.host, datanode.port) are not prescriptive. 
> Note: jQuery appears to add an '_' query param as a workaround to an IE 
> caching issue. Should probably pick something else. An alternate proposal is 
> to encrypt the entire query string as suggested here
> http://www.codeproject.com/Articles/33350/Encrypting-Query-Strings

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to