Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      CSRF prevention for REST APIs can be provided through hadoop commons servlet filter. This filter would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header. This filter is added into Hadoop 2.8.0, so we might need to wait for sometime.

      The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin.

        Attachments

        1. OOZIE-2612-00.patch
          4 kB
          Abhishek Bafna
        2. OOZIE-2612-01.patch
          4 kB
          Abhishek Bafna

          Activity

            People

            • Assignee:
              abhishekbafna Abhishek Bafna
              Reporter:
              abhishekbafna Abhishek Bafna
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: