ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <vperias...@hortonworks.com>
Subject Re: Review Request 47819: RANGER-995 : Add CSRF Filter for REST APIs to Ranger
Date Mon, 30 May 2016 12:08:35 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47819/#review135501
-----------------------------------------------------------


Ship it!




Ship It!

- Velmurugan Periasamy


On May 27, 2016, 4:43 a.m., Ankita Sinha wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47819/
> -----------------------------------------------------------
> 
> (Updated May 27, 2016, 4:43 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj,
Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-995
>     https://issues.apache.org/jira/browse/RANGER-995
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> CSRF prevention for REST APIs can be provided through a common servlet filter. This filter
would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header.
> 
> The fact that CSRF attacks are entirely browser based means that the above approach can
ensure that requests are coming from either: applications served by the same origin as the
REST API or that there is explicit policy configuration that allows the setting of a header
on XmlHttpRequest from another origin.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 19a1509 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
PRE-CREATION 
>   security-admin/src/main/resources/conf.dist/ranger-admin-site.xml c1a91ae 
>   security-admin/src/main/resources/conf.dist/security-applicationContext.xml 66ef8af

>   security-admin/src/main/webapp/scripts/Main.js 460c91a 
>   security-admin/src/main/webapp/scripts/modules/RestCsrf.js PRE-CREATION 
>   security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java
PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/47819/diff/
> 
> 
> Testing
> -------
> 
> 1. Tested against Unit Test for CSRF
> 2. Tested Ranger Admin (with Get/PUT/POST/DELETE/OPTION methods)
> 2. Tested User sync 
> 3. Tested for Ranger HDFS Plugin.
> 
> 
> Thanks,
> 
> Ankita Sinha
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message