You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Sushanth Sowmyan (JIRA)" <ji...@apache.org> on 2016/06/02 20:30:59 UTC
[jira] [Updated] (HIVE-13853) Add X-XSRF-Header filter to HS2 HTTP
mode and WebHCat
[ https://issues.apache.org/jira/browse/HIVE-13853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sushanth Sowmyan updated HIVE-13853:
------------------------------------
Status: Open (was: Patch Available)
> Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat
> -----------------------------------------------------
>
> Key: HIVE-13853
> URL: https://issues.apache.org/jira/browse/HIVE-13853
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2, WebHCat
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
> Attachments: HIVE-13853.2.patch, HIVE-13853.patch
>
>
> There is a possibility that there may be a CSRF-based attack on various hadoop components, and thus, there is an effort to add a block for all incoming http requests if they do not contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)
> This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth is used), and webhcat.
> We introduce new flags to determine whether or not we're using the filter, and if we are, we will automatically reject any http requests which do not contain this header.
> To allow this to work, we also need to make changes to our JDBC driver to automatically inject this header into any requests it makes. Also, any client-side programs/api not using the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request to make calls to HS2/WebHCat if this filter is enabled.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)