[
https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Nauroth updated HDFS-9711:
--------------------------------
Attachment: HDFS-9711.001.patch
This patch integrates WebHDFS with the CSRF prevention filter added in
HADOOP-12691. Here is a summary of the changes.
* {{RestCsrfPreventionFilter}} has been changed to expose some of its filtering
logic in public methods. This was required to faciliate integration with the
DataNode, which implements its WebHDFS endpoint using Netty instead of the
servlet API. I also added a convenience method that will help a lot of
components bootstrap the configuration.
* {{HdfsClientConfigKeys}} and {{hdfs-default.xml}} have new configuration
properties for controlling the specifics of the filter.
* {{WebHdfsFileSystem}} sends the custom header if necessary.
* {{NameNodeHttpServer}} sets up the filter configuration and calls
{{HttpServer2#defineFilter}}. I expect this is what integration of the CSRF
filter will look like for the vast majority of components that base their HTTP
server on the {{HttpServer2}} class.
* {{DatanodeHttpServer}} is a little trickier. We need to stub just enough of
the servlet API for filter initialization. The fully initialized filter gets
passed along to {{RestCsrfPreventionFilterHandler}} for subsequent use in the
Netty pipeline.
* The NameNode web UI file explorer discovers if CSRF prevention is enabled,
and if so, sets up subsequent jQuery AJAX calls to include the custom header.
This logic is in a separate {{rest-csrf.js}} module in case it ever needs to be
reused outside the file explorer.
* {{TestWebHdfsWithRestCsrfPreventionFilter}} is a new test suite that covers
various possible configuration combinations, for a GET, a PUT, a DELETE, and a
POST.
* WebHDFS documentation has been updated.
In addition to the new test suite, I manually tested the NameNode web UI,
various {{hdfs dfs}} commands with "webhdfs:" URIs, and DistCp.
> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>
> Key: HDFS-9711
> URL: https://issues.apache.org/jira/browse/HDFS-9711
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: datanode, namenode, webhdfs
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-9711.001.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks. This issue tracks integration of
> that filter in WebHDFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
