[
https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Maron updated YARN-4737:
---------------------------------
Attachment: YARN-4737.patch.001
The key elements of the uploaded patch:
- Provides a CSRF enabling call to WebApps.Builder, taking the configuration
prefix as an argument.
- Adds the call to web apps currently capable of an SPNEGO authentication (and
thus susceptible to CSRF) - RM, NM, and Job History
- Defines the properties associated with configuration of the filter for these
given web apps
- Tests added based on TestRMWebServices (used the test as an example of client
invocations of RM web endpoint)
NOTE: Could use some assistance in ascertaining whether web apps currently
have javascript invocations of the exposed REST services. Those calls will
fail if CSRF is enabled.
> Use CSRF Filter in YARN
> -----------------------
>
> Key: YARN-4737
> URL: https://issues.apache.org/jira/browse/YARN-4737
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager, resourcemanager, webapp
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
> Attachments: YARN-4737.patch.001
>
>
> A CSRF filter was added to hadoop common
> (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA
> is to come up with a mechanism to integrate this filter into the webapps for
> which it is applicable (web apps that may establish an authenticated
> identity). That includes the RM, NM, and mapreduce jobhistory web app.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
