ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankita Sinha <ankita.si...@freestoneinfotech.com>
Subject Re: Review Request 47819: RANGER-995 : Add CSRF Filter for REST APIs to Ranger
Date Fri, 27 May 2016 04:43:32 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated May 27, 2016, 4:43 a.m.)

Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj,
Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Added Apache jira : RANGER-995

Summary (updated)

RANGER-995 : Add CSRF Filter for REST APIs to Ranger

Bugs: RANGER-995

Repository: ranger


CSRF prevention for REST APIs can be provided through a common servlet filter. This filter
would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header.

The fact that CSRF attacks are entirely browser based means that the above approach can ensure
that requests are coming from either: applications served by the same origin as the REST API
or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest
from another origin.

Diffs (updated)

  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 19a1509 
  security-admin/src/main/resources/conf.dist/ranger-admin-site.xml c1a91ae 
  security-admin/src/main/resources/conf.dist/security-applicationContext.xml 66ef8af 
  security-admin/src/main/webapp/scripts/Main.js 460c91a 
  security-admin/src/main/webapp/scripts/modules/RestCsrf.js PRE-CREATION 

Diff: https://reviews.apache.org/r/47819/diff/


1. Tested against Unit Test for CSRF
2. Tested Ranger Admin (with Get/PUT/POST/DELETE/OPTION methods)
2. Tested User sync 
3. Tested for Ranger HDFS Plugin.


Ankita Sinha

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message