Sushanth Sowmyan commented on HIVE-13853:

[~sseth], I've been looking at some other tests, and I come to a similar 
question - given that the runtime is not the actual problem of this test, the 
problem is the miniHS2 start, which we do need to test that HS2 is able to 
filter this properly.

Things we could do to improve:

a) batch the miniHS2 tests together - however, this can be problematic as each 
test might do a different confOverlay in the beginning
b) look into why miniHS2 takes so long to start sometimes.

> Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
> -----------------------------------------------------
>                 Key: HIVE-13853
>                 URL: https://issues.apache.org/jira/browse/HIVE-13853
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2, WebHCat
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>              Labels: TODOC2.1
>             Fix For: 2.1.0
>         Attachments: HIVE-13853.2.patch, HIVE-13853.patch
> There is a possibility that there may be a CSRF-based attack on various 
> hadoop components, and thus, there is an effort to add a block for all 
> incoming http requests if they do not contain a X-XSRF-Header header. (See 
> HADOOP-12691 for motivation)
> This has potential to affect HS2 when running on thrift-over-http mode(if 
> cookie-based-auth is used), and webhcat.
> We introduce new flags to determine whether or not we're using the filter, 
> and if we are, we will automatically reject any http requests which do not 
> contain this header.
> To allow this to work, we also need to make changes to our JDBC driver to 
> automatically inject this header into any requests it makes. Also, any 
> client-side programs/api not using the JDBC driver directly will need to make 
> changes to add a X-XSRF-Header header to the request to make calls to 
> HS2/WebHCat if this filter is enabled.

This message was sent by Atlassian JIRA

Reply via email to