[jira] [Commented] (YARN-11923) YARN web proxy AmIpFilter allows TRACE, bypassing sparkUI TRACE block

Fri, 23 Jan 2026 02:44:05 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-11923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18053877#comment-18053877
 ] 

ASF GitHub Bot commented on YARN-11923:
---------------------------------------

susheelgupta7 commented on PR #8206:
URL: https://github.com/apache/hadoop/pull/8206#issuecomment-3789616530

   > Thanks @susheelgupta7 for this security upgrade.
   > 
   > I think that if we hardcode these two HTTP methods, it will also affect 
non-Spark applications and could potentially break some custom YARN 
applications. For example, what if there is a specific YARN AM that has 
business logic tied to these trace calls?
   > 
   > What do you think about creating a new configuration list of allowed HTTP 
methods instead of hardcoding these values? If the list is empty, everything 
would behave as it does currently; otherwise, the methods would be filtered 
against the list.
   
   Thanks @K0K0V0K for the review. The  custom YARN applications may be 
impacted. I'll update the implementation to use a configurable approach.




> YARN web proxy AmIpFilter allows TRACE, bypassing sparkUI TRACE block
> ---------------------------------------------------------------------
>
>                 Key: YARN-11923
>                 URL: https://issues.apache.org/jira/browse/YARN-11923
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>            Reporter: Susheel Gupta
>            Assignee: Susheel Gupta
>            Priority: Major
>              Labels: pull-request-available
>
> In yarn mode, sparkUI responds to http TRACE with 302 redirect. The redirect 
> happens in AmIpFilter, so the TRACE request is getting processed before spark 
> jetty handler can reject it. This causes security scanners to report TRACE 
> enabled.
> In local mode there is no yarn proxy filter, so requests go directly to spark 
> Jetty servlet. SPARK‑5983 adds TRACE filter correctly returning 405.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to