ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankita Sinha <ankita.si...@freestoneinfotech.com>
Subject Re: Review Request 47819: RANGER-995 : Add CSRF Filter for REST APIs to Ranger
Date Fri, 27 May 2016 04:43:32 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47819/
-----------------------------------------------------------

(Updated May 27, 2016, 4:43 a.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj,
Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Changes
-------

Added Apache jira : RANGER-995


Summary (updated)
-----------------

RANGER-995 : Add CSRF Filter for REST APIs to Ranger


Bugs: RANGER-995
    https://issues.apache.org/jira/browse/RANGER-995


Repository: ranger


Description
-------

CSRF prevention for REST APIs can be provided through a common servlet filter. This filter
would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header.

The fact that CSRF attacks are entirely browser based means that the above approach can ensure
that requests are coming from either: applications served by the same origin as the REST API
or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest
from another origin.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 19a1509 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
PRE-CREATION 
  security-admin/src/main/resources/conf.dist/ranger-admin-site.xml c1a91ae 
  security-admin/src/main/resources/conf.dist/security-applicationContext.xml 66ef8af 
  security-admin/src/main/webapp/scripts/Main.js 460c91a 
  security-admin/src/main/webapp/scripts/modules/RestCsrf.js PRE-CREATION 
  security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java
PRE-CREATION 

Diff: https://reviews.apache.org/r/47819/diff/


Testing
-------

1. Tested against Unit Test for CSRF
2. Tested Ranger Admin (with Get/PUT/POST/DELETE/OPTION methods)
2. Tested User sync 
3. Tested for Ranger HDFS Plugin.


Thanks,

Ankita Sinha


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message