[
https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15175562#comment-15175562
]
Varun Vasudev commented on YARN-4737:
-------------------------------------
Thanks for the patch [~jmaron].
1) Can you please address the checkstyle, javadoc, and ASF license warnings in
the pre-commit build?
2) Rename "yarn.resourcemanager.rest-csrf.*" to
"yarn.resourcemanager.webapp.rest-csrf.*". Similar changes for nodemanager and
JHS as well. I also noticed that you haven't added CSRF protection for the ATS.
Is that going to be done in a follow up patch?
3) Currently the CSRF protection is enabled by
{code}
+ if (hasSpnegoConf && hasCSRFEnabled(params)) {
+ String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
+ HttpServer2.defineFilter(server.getWebAppContext(),
restCsrfClassName,
+ restCsrfClassName, params, new String[]
{"/*"});
+ }
{code}
which means that users with custom web auth cannot use the filter. Can we
remove the hasSpnegoConf check?
> Use CSRF Filter in YARN
> -----------------------
>
> Key: YARN-4737
> URL: https://issues.apache.org/jira/browse/YARN-4737
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager, resourcemanager, webapp
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
> Attachments: YARN-4737.001.patch
>
>
> A CSRF filter was added to hadoop common
> (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA
> is to come up with a mechanism to integrate this filter into the webapps for
> which it is applicable (web apps that may establish an authenticated
> identity). That includes the RM, NM, and mapreduce jobhistory web app.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
