Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-13853

Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1.0
    • Component/s: HiveServer2, WebHCat
    • Labels:
      None
    • Target Version/s:
    • Release Note:
      Hide
      Adds two new configuration parameters, one to hive-site.xml for HiveServer2, and one to WebHCat to webhcat-site.xml.

      a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will require that all requests to HS2 over http mode have an extra http header "X-XSRF-Header", without which HS2 will deny requests.

      b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for WebHCat.

      Both these flags are false by default right now (which is why this patch is backward compatible, but we would want to flip that at some time in the future)
      Show
      Adds two new configuration parameters, one to hive-site.xml for HiveServer2, and one to WebHCat to webhcat-site.xml. a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will require that all requests to HS2 over http mode have an extra http header "X-XSRF-Header", without which HS2 will deny requests. b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for WebHCat. Both these flags are false by default right now (which is why this patch is backward compatible, but we would want to flip that at some time in the future)

      Description

      There is a possibility that there may be a CSRF-based attack on various hadoop components, and thus, there is an effort to add a block for all incoming http requests if they do not contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)

      This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth is used), and webhcat.

      We introduce new flags to determine whether or not we're using the filter, and if we are, we will automatically reject any http requests which do not contain this header.

      To allow this to work, we also need to make changes to our JDBC driver to automatically inject this header into any requests it makes. Also, any client-side programs/api not using the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request to make calls to HS2/WebHCat if this filter is enabled.

        Attachments

        1. HIVE-13853.2.patch
          23 kB
          Sushanth Sowmyan
        2. HIVE-13853.patch
          23 kB
          Sushanth Sowmyan

          Issue Links

            Activity

              People

              • Assignee:
                sushanth Sushanth Sowmyan
                Reporter:
                sushanth Sushanth Sowmyan
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: