You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Sunil G (JIRA)" <ji...@apache.org> on 2017/10/17 04:36:02 UTC

[jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.

    [ https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16206987#comment-16206987 ] 

Sunil G commented on YARN-7338:
-------------------------------

UI2 is launched as a separate service context in same RM webserver. And UI2 is available in {{<rm_ip>:<port>/ui2}} which serves just static pages. 

New YARN UI2 is a SPA (single page application) which downloads statics from  {{<rm_ip>:<port>/ui2}}. And then onwards like any general REST client, browser which loaded UI2 statics will contact RM and NM via server's secure REST end points. Hence UI2 does not impose any issues as of today.

Hence I do not think we have to add these filters to UI2 or not. If its needed, we can add filters to ui2 context also, but i would like to hear thoughts from all folks. [~leftnoteasy] [~vrushalic] [~eyang] [~Sreenath] Please help to share your comments.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI) to branch2  http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters setup for existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to backporting this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org