[
https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15175734#comment-15175734
]
Varun Vasudev commented on YARN-4737:
-------------------------------------
bq. Is the ATS leveraging another auth mechanism (or not using WebApps to
construct the endpoint)?
I took a look and it looks like the ATS doesn't use WebApps.Builder. Can you
take a look at the startWebApp function in ApplicationHistoryServer.java? It
handles the server setup. The impact of enabling CSRF on the ATS will have to
evaluated though - the RM and the Tez AM write to it via POST requests.
bq. Is there another auth mechanism that can be enabled independent of API
calls to WebApps.Builder?
Admins can setup custom web authentication filters. You can look at
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html
for more details. What's the impact of enabling csrf with no authentication?
> Use CSRF Filter in YARN
> -----------------------
>
> Key: YARN-4737
> URL: https://issues.apache.org/jira/browse/YARN-4737
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager, resourcemanager, webapp
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
> Attachments: YARN-4737.001.patch
>
>
> A CSRF filter was added to hadoop common
> (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA
> is to come up with a mechanism to integrate this filter into the webapps for
> which it is applicable (web apps that may establish an authenticated
> identity). That includes the RM, NM, and mapreduce jobhistory web app.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
