[
https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15175759#comment-15175759
]
Jonathan Maron commented on YARN-4737:
--------------------------------------
Enabling CSRF w/o auth will require the inclusion of the custom header for all
invocations, regardless of whether they are secure invocations or not. I don't
believe that is the expected usage model for the filter.
As far as identifying auth mechanisms - I'm trying to find instances that would
show the use of custom auth filters but I'm not really finding any. One theory
I have is that looking up a value other than "Simple" for
"hadoop.http.authentication.type" might provide a more general indicator of
auth being enabled? Does that seem correct?
POST requests from java clients should not be an issue - the filter only
executes when a browser user agent is detected.
BTW, the license issues (asflicense) don't appear even remotely related to this
patch.
> Use CSRF Filter in YARN
> -----------------------
>
> Key: YARN-4737
> URL: https://issues.apache.org/jira/browse/YARN-4737
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager, resourcemanager, webapp
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
> Attachments: YARN-4737.001.patch
>
>
> A CSRF filter was added to hadoop common
> (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA
> is to come up with a mechanism to integrate this filter into the webapps for
> which it is applicable (web apps that may establish an authenticated
> identity). That includes the RM, NM, and mapreduce jobhistory web app.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
