[ https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Maron updated YARN-4737: --------------------------------- Attachment: YARN-4737.patch.001 The key elements of the uploaded patch: - Provides a CSRF enabling call to WebApps.Builder, taking the configuration prefix as an argument. - Adds the call to web apps currently capable of an SPNEGO authentication (and thus susceptible to CSRF) - RM, NM, and Job History - Defines the properties associated with configuration of the filter for these given web apps - Tests added based on TestRMWebServices (used the test as an example of client invocations of RM web endpoint) NOTE: Could use some assistance in ascertaining whether web apps currently have javascript invocations of the exposed REST services. Those calls will fail if CSRF is enabled. > Use CSRF Filter in YARN > ----------------------- > > Key: YARN-4737 > URL: https://issues.apache.org/jira/browse/YARN-4737 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager, resourcemanager, webapp > Reporter: Jonathan Maron > Assignee: Jonathan Maron > Attachments: YARN-4737.patch.001 > > > A CSRF filter was added to hadoop common > (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA > is to come up with a mechanism to integrate this filter into the webapps for > which it is applicable (web apps that may establish an authenticated > identity). That includes the RM, NM, and mapreduce jobhistory web app. -- This message was sent by Atlassian JIRA (v6.3.4#6332)