[jira] [Updated] (HIVE-13853) Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat

Sun, 05 Jun 2016 10:57:06 -0700 

     [ 
https://issues.apache.org/jira/browse/HIVE-13853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sushanth Sowmyan updated HIVE-13853:
------------------------------------
      Resolution: Fixed
    Release Note: 
Adds two new configuration parameters, one to hive-site.xml for HiveServer2, 
and one to WebHCat to webhcat-site.xml.

a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will 
require that all requests to HS2 over http mode have an extra http header 
"X-XSRF-Header", without which HS2 will deny requests.

b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for 
WebHCat.

Both these flags are false by default right now (which is why this patch is 
backward compatible, but we would want to flip that at some time in the future)
          Status: Resolved  (was: Patch Available)

Committed to master.

> Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
> -----------------------------------------------------
>
>                 Key: HIVE-13853
>                 URL: https://issues.apache.org/jira/browse/HIVE-13853
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2, WebHCat
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>             Fix For: 2.2.0
>
>         Attachments: HIVE-13853.2.patch, HIVE-13853.patch
>
>
> There is a possibility that there may be a CSRF-based attack on various 
> hadoop components, and thus, there is an effort to add a block for all 
> incoming http requests if they do not contain a X-XSRF-Header header. (See 
> HADOOP-12691 for motivation)
> This has potential to affect HS2 when running on thrift-over-http mode(if 
> cookie-based-auth is used), and webhcat.
> We introduce new flags to determine whether or not we're using the filter, 
> and if we are, we will automatically reject any http requests which do not 
> contain this header.
> To allow this to work, we also need to make changes to our JDBC driver to 
> automatically inject this header into any requests it makes. Also, any 
> client-side programs/api not using the JDBC driver directly will need to make 
> changes to add a X-XSRF-Header header to the request to make calls to 
> HS2/WebHCat if this filter is enabled.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to