[
https://issues.apache.org/jira/browse/HADOOP-11308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334014#comment-14334014
]
Haohui Mai commented on HADOOP-11308:
-------------------------------------
The problem of allowing output JSON string directly is that it might lead to
potential cross site scripting (CSS) vulnerability. Without this patch the JSON
library and the APIs can guarantee the JMX output is always well-formed. With
this patch it is much harder to maintain this guarantee. We have multiple
issues on CSS in the past (e.g., HADOOP-6151, HADOOP-6441, a couple CSS in the
HDFS old UI)
My concern is that giving away the security defenses of CSS seems outweighs the
benefits of the patch. A safer approach might be providing an Jackson instance
to generate the JSON -- that way the Jackson library can ensure that the JSON
output is always well-formed.
bq. Do you mean the consumer of the JMX output ? They will get the output
specified in
https://issues.apache.org/jira/browse/HDFS-7390?focusedCommentId=14211474&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14211474
The JMX information can be also consumed by JConsole. I don't know how this
patch can affect this JConsole output and whether it breaks compatibility. See
http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html
> Enable JMX to directly output JSON objects instead JSON strings
> ---------------------------------------------------------------
>
> Key: HADOOP-11308
> URL: https://issues.apache.org/jira/browse/HADOOP-11308
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 2.5.1
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-11308.patch, HADOOP-11308.patch
>
>
> Currently many JMX beans provide Json content as strings.
> JMXJsonServlet outputs these as Json Strings. This also results in losing
> the original Json object structure.
> An example is given below:
> {code}
> "TieredStorageStats" :
> "{\"ARCHIVE\":{\"capacityTotal\":1498254102528,\"capacityUsed\":12288,\"capacityRemaining\":980102602752,\"blockPoolUsed\":12288,\"nodesInService\":3,\"numBlocks\":0}...
> {code}
> {code}
> "TieredStorageStats" :
> {"ARCHIVE":{"capacityTotal":1498254102528,"capacityUsed":12288,"capacityRemaining":980102602752,"blockPoolUsed":12288,"nodesInService":3,"numBlocks":0}...
> {code}
> In the former output {{TieredStorageStats}} maps to a JSON string while in
> the latter one it maps to a JSON object.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
