[
https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15132849#comment-15132849
]
Chris Nauroth commented on HDFS-9711:
-------------------------------------
bq. However, the name of the header is part of the contract thus it should not
be configurable. The client can always send the header.
Yes, that makes sense, probably X-XSRF-HDFS.
Bringing in [~lmccay] once again too... Larry, what was the intent behind
making the header name configurable in HADOOP-12691? Was that just so that
different components could use different header names, like X-XSRF-HDFS vs.
X-XSRF-YARN, or did you think there was a reason that individual deployments
might need to customize the header name? If the former, then I'm going to
remove the configurability at the HDFS layer and just always use X-XSRF-HDFS
for the header name.
> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>
> Key: HDFS-9711
> URL: https://issues.apache.org/jira/browse/HDFS-9711
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: datanode, namenode, webhdfs
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks. This issue tracks integration of
> that filter in WebHDFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
