[jira] [Commented] (YARN-5076) YARN web interfaces lack XFS protection

Wed, 18 May 2016 09:30:47 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-5076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289254#comment-15289254
 ] 

Junping Du commented on YARN-5076:
----------------------------------

bq. Like I mentioned above - embedding the RM/ATS ui in a frame but blocking 
the NM ui is a pretty reasonable scenario. 
Agree. I think we can achieve this by set RM/ATS's option to SAMEORIGIN but 
keep NM as DENY. Isn't it?

bq. Adding a YARN level config which can then be overridden by a RM level 
config down the line will make things more confusing.
There is no overridden here. A YARN level configuration is just to 
enable/disable XFS protection feature. The sub options to address different 
daemons' requirement if XFS protection is enabled. Do I miss any cases here?

bq. It's the other way round that's the problem in my opinion - with one config 
parameter - you force the users to open all web ui's or no web ui's.
Not really. The one config parameter here is just to mark YARN web ui are open 
or restricted (in different levels/options). Is there really a case we want 
some YARN web ui pure open to frame when other is protected? Instead, adding 
configurable ALLOW-FROM make more sense to me.

> YARN web interfaces lack XFS protection
> ---------------------------------------
>
>                 Key: YARN-5076
>                 URL: https://issues.apache.org/jira/browse/YARN-5076
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager, resourcemanager, timelineserver
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>         Attachments: YARN-5076.002.patch
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> There are web interfaces in YARN that do not provide protection against cross 
> frame scripting 
> (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet).  
> HADOOP-13008 provides a common filter for addressing this vulnerability, so 
> this filter should be integrated into the YARN web interfaces.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to