[
https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141339#comment-15141339
]
Chris Nauroth commented on HDFS-9711:
-------------------------------------
[~lmccay], thank you for the notes.
The reason that this code path is different from the typical filter processing
is that we've made a decision to implement the DataNode side of WebHDFS in our
own Netty-based HTTP server instead of a servlet container. Compared to the
Jetty-based {{HttpServer2}} class, the Netty-based implementation improves
latency and stability for large block data transfer. Initial development of
the Netty-based server was tracked in HDFS-7279 if you'd like to see more
background.
Because the DataNode side of WebHDFS does not use a servlet container, it takes
some extra effort to integrate with the servlet filter. I explored a few
options and eventually landed on refactoring logic into the public
{{isRequestAllowed}} method as the simplest choice.
Another alternative I explored was providing a minimal implementation of the
servlet API classes that the DataNode could pass into the {{doFilter}} method.
However, this quickly degenerated into writing a ton of code that we really
don't need. Things like {{HttpServletRequest}} and {{HttpServletResponse}} are
wide interfaces with a lot of methods. I would have needed to implement all
methods (a lot of extra work) or stub them to throw exceptions (error-prone for
future maintenance) even though the filter really only needs a small subset of
those methods. This amount of effort isn't worth it just to integrate with one
servlet filter. If we have future requirements for more servlet API
integrations in the DataNode (i.e. requirements for plugging in a lot of
filters), then I might resurrect this idea, but doing it now would be premature.
I expect this situation is unique to WebHDFS. Other components in the
ecosystem should have an easier time integrating, because they'll be using
{{HttpServer2}} or some other servlet container.
I'll look into making some changes to the patch to address your concerns about
the error message.
> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>
> Key: HDFS-9711
> URL: https://issues.apache.org/jira/browse/HDFS-9711
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: datanode, namenode, webhdfs
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch,
> HDFS-9711.003.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks. This issue tracks integration of
> that filter in WebHDFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
