[jira] [Commented] (HADOOP-15457) Add Security-Related HTTP Response Header in Yarn WEBUIs.

Fri, 11 May 2018 12:09:25 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472496#comment-16472496
 ] 

Szilard Nemeth commented on HADOOP-15457:
-----------------------------------------

[~kanwaljeets]
1. Sure, I see why you left the other introduced constants as package-private, 
to be able to access them from the tests.
2. Yes, the httpHeaderRegex could be also private, I missed that. Oh I see you 
really have something else with the same name (regex string). I think the 
cleanest would be to differentiate them, maybe using the "pattern" prefix for 
the pattern static field.
I checked some other occurences in the code for some static Patterns, most of 
them are with uppercase letters, so I would vote for that.

Thanks!

> Add Security-Related HTTP Response Header in Yarn WEBUIs.
> ---------------------------------------------------------
>
>                 Key: HADOOP-15457
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15457
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kanwaljeet Sachdev
>            Assignee: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>         Attachments: HADOOP-15457.001.patch, YARN-8198.001.patch, 
> YARN-8198.002.patch, YARN-8198.003.patch, YARN-8198.004.patch, 
> YARN-8198.005.patch
>
>
> As of today, YARN web-ui lacks certain security related http response 
> headers. We are planning to add few default ones and also add support for 
> headers to be able to get added via xml config. Planning to make the below 
> two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
>  
> Support for headers via config properties in core-site.xml will be along the 
> below lines
> {code:java}
> <property>
>      <name>hadoop.http.header.Strict_Transport_Security</name>
>      <value>valHSTSFromXML</value>
>  </property>{code}
>  
> A regex matcher will lift these properties and add into the response header 
> when Jetty prepares the response.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to