Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-13853

Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.1.0
    • HiveServer2, WebHCat
    • None
    • Hide
      Adds two new configuration parameters, one to hive-site.xml for HiveServer2, and one to WebHCat to webhcat-site.xml.

      a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will require that all requests to HS2 over http mode have an extra http header "X-XSRF-Header", without which HS2 will deny requests.

      b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for WebHCat.

      Both these flags are false by default right now (which is why this patch is backward compatible, but we would want to flip that at some time in the future)
      Show
      Adds two new configuration parameters, one to hive-site.xml for HiveServer2, and one to WebHCat to webhcat-site.xml. a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will require that all requests to HS2 over http mode have an extra http header "X-XSRF-Header", without which HS2 will deny requests. b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for WebHCat. Both these flags are false by default right now (which is why this patch is backward compatible, but we would want to flip that at some time in the future)

    Description

      There is a possibility that there may be a CSRF-based attack on various hadoop components, and thus, there is an effort to add a block for all incoming http requests if they do not contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)

      This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth is used), and webhcat.

      We introduce new flags to determine whether or not we're using the filter, and if we are, we will automatically reject any http requests which do not contain this header.

      To allow this to work, we also need to make changes to our JDBC driver to automatically inject this header into any requests it makes. Also, any client-side programs/api not using the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request to make calls to HS2/WebHCat if this filter is enabled.

      Attachments

        1. HIVE-13853.patch
          23 kB
          Sushanth Sowmyan
        2. HIVE-13853.2.patch
          23 kB
          Sushanth Sowmyan

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-13949 Investigate why Filter mechanism does not work for XSRF filtering from HS2

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-14099 Hive security authorization can be disabled by users

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-17679 http-generic-click-jacking for WebHcat server

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sushanth Sushanth Sowmyan
              sushanth Sushanth Sowmyan
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: