[jira] [Commented] (HDFS-9711) Integrate CSRF prevention filter in WebHDFS.

Fri, 05 Feb 2016 10:19:33 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134615#comment-15134615
 ] 

Larry McCay commented on HDFS-9711:
-----------------------------------

Heads up, [~cnauroth] - my latest patch changed the error messages slightly in 
order to provide more clarity of the vulnerability check that is in violation. 
Changed "Missing Required Header for Vulnerability Protection" to "Missing 
Required Header for CSRF Vulnerability Protection".

Sorry for the inconvenience. If this is troublesome or you don't feel it is 
needed, I can revert that change.

The configurability of the header name, I think is just a general convenience. 
Some shops have very strict guidelines on what they do for certain things. If 
they wanted to always use the same header for CSRF protection for the 
convenience of the app developers then they could configure the CSRF filter 
across the platform to expect the same header. If a shop has some notion that 
headers per component makes sense then they could do that as well. Otherwise, I 
would have expected the default to be used.

>From a platform perspective, I would rather the same header be used across the 
>board so as not to put too much of a burden on an app that must communicate 
>with many - maybe like Ambari might have to?  Finding out and keeping track of 
>the header name for each component in every deployment may be a lot.

The fact of the matter is that it really doesn't matter from a security 
perspective what the name is as long as it is what is configured for the filter 
enforcing the CSRF filter. We are really just ensuring that the request is 
coming from a client that has the ability to set a header. We just have to know 
what name to look for.

> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>
>                 Key: HDFS-9711
>                 URL: https://issues.apache.org/jira/browse/HDFS-9711
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: datanode, namenode, webhdfs
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard 
> against cross-site request forgery attacks.  This issue tracks integration of 
> that filter in WebHDFS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to