[ https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15175562#comment-15175562 ]
Varun Vasudev commented on YARN-4737: ------------------------------------- Thanks for the patch [~jmaron]. 1) Can you please address the checkstyle, javadoc, and ASF license warnings in the pre-commit build? 2) Rename "yarn.resourcemanager.rest-csrf.*" to "yarn.resourcemanager.webapp.rest-csrf.*". Similar changes for nodemanager and JHS as well. I also noticed that you haven't added CSRF protection for the ATS. Is that going to be done in a follow up patch? 3) Currently the CSRF protection is enabled by {code} + if (hasSpnegoConf && hasCSRFEnabled(params)) { + String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); + HttpServer2.defineFilter(server.getWebAppContext(), restCsrfClassName, + restCsrfClassName, params, new String[] {"/*"}); + } {code} which means that users with custom web auth cannot use the filter. Can we remove the hasSpnegoConf check? > Use CSRF Filter in YARN > ----------------------- > > Key: YARN-4737 > URL: https://issues.apache.org/jira/browse/YARN-4737 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager, resourcemanager, webapp > Reporter: Jonathan Maron > Assignee: Jonathan Maron > Attachments: YARN-4737.001.patch > > > A CSRF filter was added to hadoop common > (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA > is to come up with a mechanism to integrate this filter into the webapps for > which it is applicable (web apps that may establish an authenticated > identity). That includes the RM, NM, and mapreduce jobhistory web app. -- This message was sent by Atlassian JIRA (v6.3.4#6332)