Sushanth Sowmyan created HIVE-13853:
---------------------------------------
Summary: Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
Key: HIVE-13853
URL: https://issues.apache.org/jira/browse/HIVE-13853
Project: Hive
Issue Type: Bug
Components: HiveServer2, WebHCat
Reporter: Sushanth Sowmyan
Assignee: Sushanth Sowmyan
There is a possibility that there may be a CSRF-based attack on various hadoop
components, and thus, there is an effort to add a block for all incoming http
requests if they do not contain a X-XSRF-Header header. (See HADOOP-12691 for
motivation)
This has potential to affect HS2 when running on thrift-over-http mode(if
cookie-based-auth is used), and webhcat.
We introduce new flags to determine whether or not we're using the filter, and
if we are, we will automatically reject any http requests which do not contain
this header.
To allow this to work, we also need to make changes to our JDBC driver to
automatically inject this header into any requests it makes. Also, any
client-side programs/api not using the JDBC driver directly will need to make
changes to add a X-XSRF-Header header to the request to make calls to
HS2/WebHCat if this filter is enabled.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
