Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-13853

Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat

Log workAgile BoardRank to TopRank to BottomBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.1.0
    • HiveServer2, WebHCat
    • None
    • Hide
      Adds two new configuration parameters, one to hive-site.xml for HiveServer2, and one to WebHCat to webhcat-site.xml.

      a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will require that all requests to HS2 over http mode have an extra http header "X-XSRF-Header", without which HS2 will deny requests.

      b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for WebHCat.

      Both these flags are false by default right now (which is why this patch is backward compatible, but we would want to flip that at some time in the future)
      Show
      Adds two new configuration parameters, one to hive-site.xml for HiveServer2, and one to WebHCat to webhcat-site.xml. a) First, the HiveServer2 one: hive.server2.xsrf.filter.enabled - if set, will require that all requests to HS2 over http mode have an extra http header "X-XSRF-Header", without which HS2 will deny requests. b) Similarly, for webhcat: templeton.xsrf.filter.enabled - does the same for WebHCat. Both these flags are false by default right now (which is why this patch is backward compatible, but we would want to flip that at some time in the future)

    Description

      There is a possibility that there may be a CSRF-based attack on various hadoop components, and thus, there is an effort to add a block for all incoming http requests if they do not contain a X-XSRF-Header header. (See HADOOP-12691 for motivation)

      This has potential to affect HS2 when running on thrift-over-http mode(if cookie-based-auth is used), and webhcat.

      We introduce new flags to determine whether or not we're using the filter, and if we are, we will automatically reject any http requests which do not contain this header.

      To allow this to work, we also need to make changes to our JDBC driver to automatically inject this header into any requests it makes. Also, any client-side programs/api not using the JDBC driver directly will need to make changes to add a X-XSRF-Header header to the request to make calls to HS2/WebHCat if this filter is enabled.

      Attachments

        1. HIVE-13853.2.patch
          23 kB
          Sushanth Sowmyan
        2. HIVE-13853.patch
          23 kB
          Sushanth Sowmyan

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sushanth Sushanth Sowmyan Assign to me
            sushanth Sushanth Sowmyan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment