YARN-4737. Add CSRF filter support in YARN. Contributed by Jonathan Maron.
This commit is contained in:
parent
4f9fe3ac03
commit
e51a8c1056
|
@ -225,6 +225,19 @@ public class JHAdminConfig {
|
||||||
+ "jobname.limit";
|
+ "jobname.limit";
|
||||||
public static final int DEFAULT_MR_HS_JOBNAME_LIMIT = 50;
|
public static final int DEFAULT_MR_HS_JOBNAME_LIMIT = 50;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* CSRF settings.
|
||||||
|
*/
|
||||||
|
public static final String MR_HISTORY_CSRF_PREFIX = MR_HISTORY_PREFIX +
|
||||||
|
"webapp.rest-csrf.";
|
||||||
|
public static final String MR_HISTORY_CSRF_ENABLED = MR_HISTORY_CSRF_PREFIX +
|
||||||
|
"enabled";
|
||||||
|
public static final String MR_HISTORY_CSRF_CUSTOM_HEADER =
|
||||||
|
MR_HISTORY_CSRF_PREFIX + "custom-header";
|
||||||
|
public static final String MR_HISTORY_METHODS_TO_IGNORE =
|
||||||
|
MR_HISTORY_CSRF_PREFIX + "methods-to-ignore";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Settings for .jhist file format.
|
* Settings for .jhist file format.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -1862,4 +1862,30 @@
|
||||||
default is -1</description>
|
default is -1</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Enable the CSRF filter for the job history web app
|
||||||
|
</description>
|
||||||
|
<name>mapreduce.jobhistory.webapp.rest-csrf.enabled</name>
|
||||||
|
<value>false</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the custom header name to use for CSRF
|
||||||
|
protection.
|
||||||
|
</description>
|
||||||
|
<name>mapreduce.jobhistory.webapp.rest-csrf.custom-header</name>
|
||||||
|
<value>X-XSRF-Header</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the list of HTTP methods that do not
|
||||||
|
require CSRF protection
|
||||||
|
</description>
|
||||||
|
<name>mapreduce.jobhistory.webapp.rest-csrf.methods-to-ignore</name>
|
||||||
|
<value>GET,OPTIONS,HEAD</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
</configuration>
|
</configuration>
|
||||||
|
|
|
@ -160,6 +160,7 @@ public class HistoryClientService extends AbstractService {
|
||||||
JHAdminConfig.MR_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
|
JHAdminConfig.MR_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
|
||||||
.withHttpSpnegoPrincipalKey(
|
.withHttpSpnegoPrincipalKey(
|
||||||
JHAdminConfig.MR_WEBAPP_SPNEGO_USER_NAME_KEY)
|
JHAdminConfig.MR_WEBAPP_SPNEGO_USER_NAME_KEY)
|
||||||
|
.withCSRFProtection(JHAdminConfig.MR_HISTORY_CSRF_PREFIX)
|
||||||
.at(NetUtils.getHostPortString(bindAddress)).start(webApp);
|
.at(NetUtils.getHostPortString(bindAddress)).start(webApp);
|
||||||
|
|
||||||
String connectHost = MRWebAppUtil.getJHSWebappURLWithoutScheme(conf).split(":")[0];
|
String connectHost = MRWebAppUtil.getJHSWebappURLWithoutScheme(conf).split(":")[0];
|
||||||
|
|
|
@ -2399,6 +2399,30 @@ public class YarnConfiguration extends Configuration {
|
||||||
public static final String NM_SCRIPT_BASED_NODE_LABELS_PROVIDER_SCRIPT_OPTS =
|
public static final String NM_SCRIPT_BASED_NODE_LABELS_PROVIDER_SCRIPT_OPTS =
|
||||||
NM_SCRIPT_BASED_NODE_LABELS_PROVIDER_PREFIX + "opts";
|
NM_SCRIPT_BASED_NODE_LABELS_PROVIDER_PREFIX + "opts";
|
||||||
|
|
||||||
|
// RM and NM CSRF props
|
||||||
|
public static final String REST_CSRF = "webapp.rest-csrf.";
|
||||||
|
public static final String RM_CSRF_PREFIX = RM_PREFIX + REST_CSRF;
|
||||||
|
public static final String NM_CSRF_PREFIX = NM_PREFIX + REST_CSRF;
|
||||||
|
public static final String TIMELINE_CSRF_PREFIX = TIMELINE_SERVICE_PREFIX +
|
||||||
|
REST_CSRF;
|
||||||
|
public static final String RM_CSRF_ENABLED = RM_CSRF_PREFIX + "enabled";
|
||||||
|
public static final String NM_CSRF_ENABLED = NM_CSRF_PREFIX + "enabled";
|
||||||
|
public static final String TIMELINE_CSRF_ENABLED = TIMELINE_CSRF_PREFIX +
|
||||||
|
"enabled";
|
||||||
|
public static final String RM_CSRF_CUSTOM_HEADER = RM_CSRF_PREFIX +
|
||||||
|
"custom-header";
|
||||||
|
public static final String NM_CSRF_CUSTOM_HEADER = NM_CSRF_PREFIX +
|
||||||
|
"custom-header";
|
||||||
|
public static final String TIMELINE_CSRF_CUSTOM_HEADER =
|
||||||
|
TIMELINE_CSRF_PREFIX + "custom-header";
|
||||||
|
public static final String RM_CSRF_METHODS_TO_IGNORE = RM_CSRF_PREFIX +
|
||||||
|
"methods-to-ignore";
|
||||||
|
public static final String NM_CSRF_METHODS_TO_IGNORE = NM_CSRF_PREFIX +
|
||||||
|
"methods-to-ignore";
|
||||||
|
public static final String TIMELINE_CSRF_METHODS_TO_IGNORE =
|
||||||
|
TIMELINE_CSRF_PREFIX + "methods-to-ignore";
|
||||||
|
|
||||||
|
|
||||||
public YarnConfiguration() {
|
public YarnConfiguration() {
|
||||||
super();
|
super();
|
||||||
}
|
}
|
||||||
|
|
|
@ -39,6 +39,7 @@ import org.apache.hadoop.http.HttpConfig.Policy;
|
||||||
import org.apache.hadoop.http.HttpServer2;
|
import org.apache.hadoop.http.HttpServer2;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
|
import org.apache.hadoop.security.http.RestCsrfPreventionFilter;
|
||||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
|
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
|
@ -73,6 +74,7 @@ import com.google.inject.servlet.GuiceFilter;
|
||||||
public class WebApps {
|
public class WebApps {
|
||||||
static final Logger LOG = LoggerFactory.getLogger(WebApps.class);
|
static final Logger LOG = LoggerFactory.getLogger(WebApps.class);
|
||||||
public static class Builder<T> {
|
public static class Builder<T> {
|
||||||
|
|
||||||
static class ServletStruct {
|
static class ServletStruct {
|
||||||
public Class<? extends HttpServlet> clazz;
|
public Class<? extends HttpServlet> clazz;
|
||||||
public String name;
|
public String name;
|
||||||
|
@ -91,6 +93,7 @@ public class WebApps {
|
||||||
boolean devMode = false;
|
boolean devMode = false;
|
||||||
private String spnegoPrincipalKey;
|
private String spnegoPrincipalKey;
|
||||||
private String spnegoKeytabKey;
|
private String spnegoKeytabKey;
|
||||||
|
private String configPrefix;
|
||||||
private final HashSet<ServletStruct> servlets = new HashSet<ServletStruct>();
|
private final HashSet<ServletStruct> servlets = new HashSet<ServletStruct>();
|
||||||
private final HashMap<String, Object> attributes = new HashMap<String, Object>();
|
private final HashMap<String, Object> attributes = new HashMap<String, Object>();
|
||||||
|
|
||||||
|
@ -161,6 +164,18 @@ public class WebApps {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable the CSRF filter.
|
||||||
|
* @param csrfConfigPrefix The config prefix that identifies the
|
||||||
|
* CSRF parameters applicable for this filter
|
||||||
|
* instance.
|
||||||
|
* @return the Builder instance
|
||||||
|
*/
|
||||||
|
public Builder<T> withCSRFProtection(String csrfConfigPrefix) {
|
||||||
|
this.configPrefix = csrfConfigPrefix;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
public Builder<T> inDevMode() {
|
public Builder<T> inDevMode() {
|
||||||
devMode = true;
|
devMode = true;
|
||||||
return this;
|
return this;
|
||||||
|
@ -266,6 +281,19 @@ public class WebApps {
|
||||||
for(Map.Entry<String, Object> entry : attributes.entrySet()) {
|
for(Map.Entry<String, Object> entry : attributes.entrySet()) {
|
||||||
server.setAttribute(entry.getKey(), entry.getValue());
|
server.setAttribute(entry.getKey(), entry.getValue());
|
||||||
}
|
}
|
||||||
|
Map<String, String> params = getCsrfConfigParameters();
|
||||||
|
|
||||||
|
if (hasCSRFEnabled(params)) {
|
||||||
|
LOG.info("CSRF Protection has been enabled for the {} application. "
|
||||||
|
+ "Please ensure that there is an authentication mechanism "
|
||||||
|
+ "enabled (kerberos, custom, etc).",
|
||||||
|
name);
|
||||||
|
String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
|
||||||
|
HttpServer2.defineFilter(server.getWebAppContext(), restCsrfClassName,
|
||||||
|
restCsrfClassName, params,
|
||||||
|
new String[] {"/*"});
|
||||||
|
}
|
||||||
|
|
||||||
HttpServer2.defineFilter(server.getWebAppContext(), "guice",
|
HttpServer2.defineFilter(server.getWebAppContext(), "guice",
|
||||||
GuiceFilter.class.getName(), null, new String[] { "/*" });
|
GuiceFilter.class.getName(), null, new String[] { "/*" });
|
||||||
|
|
||||||
|
@ -295,6 +323,20 @@ public class WebApps {
|
||||||
return webapp;
|
return webapp;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean hasCSRFEnabled(Map<String, String> params) {
|
||||||
|
return params != null && Boolean.valueOf(params.get("enabled"));
|
||||||
|
}
|
||||||
|
|
||||||
|
private Map<String, String> getCsrfConfigParameters() {
|
||||||
|
Map<String, String> params = null;
|
||||||
|
if (configPrefix != null) {
|
||||||
|
// need to obtain parameters for CSRF filter
|
||||||
|
params =
|
||||||
|
RestCsrfPreventionFilter.getFilterParams(conf, configPrefix);
|
||||||
|
}
|
||||||
|
return params;
|
||||||
|
}
|
||||||
|
|
||||||
public WebApp start() {
|
public WebApp start() {
|
||||||
return start(null);
|
return start(null);
|
||||||
}
|
}
|
||||||
|
|
|
@ -2637,4 +2637,82 @@
|
||||||
<name>yarn.node-labels.fs-store.impl.class</name>
|
<name>yarn.node-labels.fs-store.impl.class</name>
|
||||||
<value>org.apache.hadoop.yarn.nodelabels.FileSystemNodeLabelsStore</value>
|
<value>org.apache.hadoop.yarn.nodelabels.FileSystemNodeLabelsStore</value>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Enable the CSRF filter for the RM web app
|
||||||
|
</description>
|
||||||
|
<name>yarn.resourcemanager.webapp.rest-csrf.enabled</name>
|
||||||
|
<value>false</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the custom header name to use for CSRF
|
||||||
|
protection.
|
||||||
|
</description>
|
||||||
|
<name>yarn.resourcemanager.webapp.rest-csrf.custom-header</name>
|
||||||
|
<value>X-XSRF-Header</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the list of HTTP methods that do not
|
||||||
|
require CSRF protection
|
||||||
|
</description>
|
||||||
|
<name>yarn.resourcemanager.webapp.rest-csrf.methods-to-ignore</name>
|
||||||
|
<value>GET,OPTIONS,HEAD</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Enable the CSRF filter for the NM web app
|
||||||
|
</description>
|
||||||
|
<name>yarn.nodemanager.webapp.rest-csrf.enabled</name>
|
||||||
|
<value>false</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the custom header name to use for CSRF
|
||||||
|
protection.
|
||||||
|
</description>
|
||||||
|
<name>yarn.nodemanager.webapp.rest-csrf.custom-header</name>
|
||||||
|
<value>X-XSRF-Header</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the list of HTTP methods that do not
|
||||||
|
require CSRF protection
|
||||||
|
</description>
|
||||||
|
<name>yarn.nodemanager.webapp.rest-csrf.methods-to-ignore</name>
|
||||||
|
<value>GET,OPTIONS,HEAD</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Enable the CSRF filter for the timeline service web app
|
||||||
|
</description>
|
||||||
|
<name>yarn.timeline-service.webapp.rest-csrf.enabled</name>
|
||||||
|
<value>false</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the custom header name to use for CSRF
|
||||||
|
protection.
|
||||||
|
</description>
|
||||||
|
<name>yarn.timeline-service.webapp.rest-csrf.custom-header</name>
|
||||||
|
<value>X-XSRF-Header</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
Optional parameter that indicates the list of HTTP methods that do not
|
||||||
|
require CSRF protection
|
||||||
|
</description>
|
||||||
|
<name>yarn.timeline-service.webapp.rest-csrf.methods-to-ignore</name>
|
||||||
|
<value>GET,OPTIONS,HEAD</value>
|
||||||
|
</property>
|
||||||
</configuration>
|
</configuration>
|
||||||
|
|
|
@ -297,16 +297,21 @@ public class ApplicationHistoryServer extends CompositeService {
|
||||||
YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
|
YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
|
||||||
WebAppUtils.getAHSWebAppURLWithoutScheme(conf));
|
WebAppUtils.getAHSWebAppURLWithoutScheme(conf));
|
||||||
try {
|
try {
|
||||||
AHSWebApp ahsWebApp = new AHSWebApp(timelineDataManager, ahsClientService);
|
AHSWebApp ahsWebApp =
|
||||||
|
new AHSWebApp(timelineDataManager, ahsClientService);
|
||||||
webApp =
|
webApp =
|
||||||
WebApps
|
WebApps
|
||||||
.$for("applicationhistory", ApplicationHistoryClientService.class,
|
.$for("applicationhistory", ApplicationHistoryClientService.class,
|
||||||
ahsClientService, "ws")
|
ahsClientService, "ws")
|
||||||
.with(conf).withAttribute(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
|
.with(conf)
|
||||||
conf.get(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS)).at(bindAddress).build(ahsWebApp);
|
.withAttribute(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
|
||||||
|
conf.get(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS))
|
||||||
|
.withCSRFProtection(YarnConfiguration.TIMELINE_CSRF_PREFIX)
|
||||||
|
.at(bindAddress).build(ahsWebApp);
|
||||||
HttpServer2 httpServer = webApp.httpServer();
|
HttpServer2 httpServer = webApp.httpServer();
|
||||||
|
|
||||||
String[] names = conf.getTrimmedStrings(YarnConfiguration.TIMELINE_SERVICE_UI_NAMES);
|
String[] names = conf.getTrimmedStrings(
|
||||||
|
YarnConfiguration.TIMELINE_SERVICE_UI_NAMES);
|
||||||
WebAppContext webAppContext = httpServer.getWebAppContext();
|
WebAppContext webAppContext = httpServer.getWebAppContext();
|
||||||
|
|
||||||
for (String name : names) {
|
for (String name : names) {
|
||||||
|
@ -332,9 +337,9 @@ public class ApplicationHistoryServer extends CompositeService {
|
||||||
}
|
}
|
||||||
httpServer.start();
|
httpServer.start();
|
||||||
conf.updateConnectAddr(YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
|
conf.updateConnectAddr(YarnConfiguration.TIMELINE_SERVICE_BIND_HOST,
|
||||||
YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
|
YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
|
||||||
YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS,
|
YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS,
|
||||||
this.getListenerAddress());
|
this.getListenerAddress());
|
||||||
LOG.info("Instantiating AHSWebApp at " + getPort());
|
LOG.info("Instantiating AHSWebApp at " + getPort());
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
String msg = "AHSWebApp failed to start.";
|
String msg = "AHSWebApp failed to start.";
|
||||||
|
|
|
@ -79,6 +79,7 @@ public class WebServer extends AbstractService {
|
||||||
YarnConfiguration.NM_WEBAPP_SPNEGO_USER_NAME_KEY)
|
YarnConfiguration.NM_WEBAPP_SPNEGO_USER_NAME_KEY)
|
||||||
.withHttpSpnegoKeytabKey(
|
.withHttpSpnegoKeytabKey(
|
||||||
YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
|
YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
|
||||||
|
.withCSRFProtection(YarnConfiguration.NM_CSRF_PREFIX)
|
||||||
.start(this.nmWebApp);
|
.start(this.nmWebApp);
|
||||||
this.port = this.webApp.httpServer().getConnectorAddress(0).getPort();
|
this.port = this.webApp.httpServer().getConnectorAddress(0).getPort();
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
|
|
|
@ -1058,6 +1058,7 @@ public class ResourceManager extends CompositeService implements Recoverable {
|
||||||
YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY)
|
YarnConfiguration.RM_WEBAPP_SPNEGO_USER_NAME_KEY)
|
||||||
.withHttpSpnegoKeytabKey(
|
.withHttpSpnegoKeytabKey(
|
||||||
YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
|
YarnConfiguration.RM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY)
|
||||||
|
.withCSRFProtection(YarnConfiguration.RM_CSRF_PREFIX)
|
||||||
.at(webAppAddress);
|
.at(webAppAddress);
|
||||||
String proxyHostAndPort = WebAppUtils.getProxyHostAndPort(conf);
|
String proxyHostAndPort = WebAppUtils.getProxyHostAndPort(conf);
|
||||||
if(WebAppUtils.getResolvedRMWebAppURLWithoutScheme(conf).
|
if(WebAppUtils.getResolvedRMWebAppURLWithoutScheme(conf).
|
||||||
|
|
|
@ -0,0 +1,231 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.webapp;
|
||||||
|
|
||||||
|
import com.google.inject.Guice;
|
||||||
|
import com.google.inject.Injector;
|
||||||
|
import com.google.inject.servlet.GuiceServletContextListener;
|
||||||
|
import com.google.inject.servlet.ServletModule;
|
||||||
|
import com.sun.jersey.api.client.ClientResponse;
|
||||||
|
import com.sun.jersey.api.client.ClientResponse.Status;
|
||||||
|
import com.sun.jersey.api.client.UniformInterfaceException;
|
||||||
|
import com.sun.jersey.api.client.WebResource;
|
||||||
|
import com.sun.jersey.guice.spi.container.servlet.GuiceContainer;
|
||||||
|
import com.sun.jersey.test.framework.WebAppDescriptor;
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.http.RestCsrfPreventionFilter;
|
||||||
|
import org.apache.hadoop.service.Service.STATE;
|
||||||
|
import org.apache.hadoop.util.VersionInfo;
|
||||||
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.ClusterMetrics;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.webapp.JAXBContextResolver;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebServices;
|
||||||
|
import org.apache.hadoop.yarn.util.YarnVersionInfo;
|
||||||
|
import org.codehaus.jettison.json.JSONException;
|
||||||
|
import org.codehaus.jettison.json.JSONObject;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.w3c.dom.Document;
|
||||||
|
import org.w3c.dom.Element;
|
||||||
|
import org.w3c.dom.NodeList;
|
||||||
|
import org.xml.sax.InputSource;
|
||||||
|
|
||||||
|
import javax.ws.rs.core.MediaType;
|
||||||
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
|
import java.io.StringReader;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Used TestRMWebServices as an example of web invocations of RM and added
|
||||||
|
* test for CSRF Filter.
|
||||||
|
*/
|
||||||
|
public class TestRMWithCSRFFilter extends JerseyTestBase {
|
||||||
|
|
||||||
|
private static MockRM rm;
|
||||||
|
|
||||||
|
private Injector injector = Guice.createInjector(new ServletModule() {
|
||||||
|
@Override
|
||||||
|
protected void configureServlets() {
|
||||||
|
bind(JAXBContextResolver.class);
|
||||||
|
bind(RMWebServices.class);
|
||||||
|
bind(GenericExceptionHandler.class);
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class,
|
||||||
|
ResourceScheduler.class);
|
||||||
|
rm = new MockRM(conf);
|
||||||
|
bind(ResourceManager.class).toInstance(rm);
|
||||||
|
serve("/*").with(GuiceContainer.class);
|
||||||
|
RestCsrfPreventionFilter csrfFilter = new RestCsrfPreventionFilter();
|
||||||
|
Map<String,String> initParams = new HashMap<>();
|
||||||
|
// adding GET as protected method to make things a little easier...
|
||||||
|
initParams.put(RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM,
|
||||||
|
"OPTIONS,HEAD,TRACE");
|
||||||
|
filter("/*").through(csrfFilter, initParams);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
public class GuiceServletConfig extends GuiceServletContextListener {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Injector getInjector() {
|
||||||
|
return injector;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Before
|
||||||
|
@Override
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
super.setUp();
|
||||||
|
}
|
||||||
|
|
||||||
|
public TestRMWithCSRFFilter() {
|
||||||
|
super(new WebAppDescriptor.Builder(
|
||||||
|
"org.apache.hadoop.yarn.server.resourcemanager.webapp")
|
||||||
|
.contextListenerClass(GuiceServletConfig.class)
|
||||||
|
.filterClass(com.google.inject.servlet.GuiceFilter.class)
|
||||||
|
.contextPath("jersey-guice-filter").servletPath("/").build());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testNoCustomHeaderFromBrowser() throws Exception {
|
||||||
|
WebResource r = resource();
|
||||||
|
ClientResponse response = r.path("ws").path("v1").path("cluster")
|
||||||
|
.path("info").accept("application/xml")
|
||||||
|
.header(RestCsrfPreventionFilter.HEADER_USER_AGENT,"Mozilla/5.0")
|
||||||
|
.get(ClientResponse.class);
|
||||||
|
assertTrue("Should have been rejected", response.getStatus() ==
|
||||||
|
Status.BAD_REQUEST.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testIncludeCustomHeaderFromBrowser() throws Exception {
|
||||||
|
WebResource r = resource();
|
||||||
|
ClientResponse response = r.path("ws").path("v1").path("cluster")
|
||||||
|
.path("info").accept("application/xml")
|
||||||
|
.header(RestCsrfPreventionFilter.HEADER_USER_AGENT,"Mozilla/5.0")
|
||||||
|
.header("X-XSRF-HEADER", "")
|
||||||
|
.get(ClientResponse.class);
|
||||||
|
assertTrue("Should have been accepted", response.getStatus() ==
|
||||||
|
Status.OK.getStatusCode());
|
||||||
|
assertEquals(MediaType.APPLICATION_XML_TYPE, response.getType());
|
||||||
|
String xml = response.getEntity(String.class);
|
||||||
|
verifyClusterInfoXML(xml);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAllowedMethod() throws Exception {
|
||||||
|
WebResource r = resource();
|
||||||
|
ClientResponse response = r.path("ws").path("v1").path("cluster")
|
||||||
|
.path("info").accept("application/xml")
|
||||||
|
.header(RestCsrfPreventionFilter.HEADER_USER_AGENT,"Mozilla/5.0")
|
||||||
|
.head();
|
||||||
|
assertTrue("Should have been allowed", response.getStatus() ==
|
||||||
|
Status.OK.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAllowNonBrowserInteractionWithoutHeader() throws Exception {
|
||||||
|
WebResource r = resource();
|
||||||
|
ClientResponse response = r.path("ws").path("v1").path("cluster")
|
||||||
|
.path("info").accept("application/xml")
|
||||||
|
.get(ClientResponse.class);
|
||||||
|
assertTrue("Should have been accepted", response.getStatus() ==
|
||||||
|
Status.OK.getStatusCode());
|
||||||
|
assertEquals(MediaType.APPLICATION_XML_TYPE, response.getType());
|
||||||
|
String xml = response.getEntity(String.class);
|
||||||
|
verifyClusterInfoXML(xml);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void verifyClusterInfoXML(String xml) throws Exception {
|
||||||
|
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||||
|
DocumentBuilder db = dbf.newDocumentBuilder();
|
||||||
|
InputSource is = new InputSource();
|
||||||
|
is.setCharacterStream(new StringReader(xml));
|
||||||
|
Document dom = db.parse(is);
|
||||||
|
NodeList nodes = dom.getElementsByTagName("clusterInfo");
|
||||||
|
assertEquals("incorrect number of elements", 1, nodes.getLength());
|
||||||
|
|
||||||
|
for (int i = 0; i < nodes.getLength(); i++) {
|
||||||
|
Element element = (Element) nodes.item(i);
|
||||||
|
|
||||||
|
verifyClusterGeneric(WebServicesTestUtils.getXmlLong(element, "id"),
|
||||||
|
WebServicesTestUtils.getXmlLong(element, "startedOn"),
|
||||||
|
WebServicesTestUtils.getXmlString(element, "state"),
|
||||||
|
WebServicesTestUtils.getXmlString(element, "haState"),
|
||||||
|
WebServicesTestUtils.getXmlString(
|
||||||
|
element, "haZooKeeperConnectionState"),
|
||||||
|
WebServicesTestUtils.getXmlString(element, "hadoopVersionBuiltOn"),
|
||||||
|
WebServicesTestUtils.getXmlString(element, "hadoopBuildVersion"),
|
||||||
|
WebServicesTestUtils.getXmlString(element, "hadoopVersion"),
|
||||||
|
WebServicesTestUtils.getXmlString(element,
|
||||||
|
"resourceManagerVersionBuiltOn"),
|
||||||
|
WebServicesTestUtils.getXmlString(element,
|
||||||
|
"resourceManagerBuildVersion"),
|
||||||
|
WebServicesTestUtils.getXmlString(element, "resourceManagerVersion"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void verifyClusterGeneric(long clusterid, long startedon,
|
||||||
|
String state, String haState,
|
||||||
|
String haZooKeeperConnectionState,
|
||||||
|
String hadoopVersionBuiltOn,
|
||||||
|
String hadoopBuildVersion,
|
||||||
|
String hadoopVersion,
|
||||||
|
String resourceManagerVersionBuiltOn,
|
||||||
|
String resourceManagerBuildVersion,
|
||||||
|
String resourceManagerVersion) {
|
||||||
|
|
||||||
|
assertEquals("clusterId doesn't match: ",
|
||||||
|
ResourceManager.getClusterTimeStamp(), clusterid);
|
||||||
|
assertEquals("startedOn doesn't match: ",
|
||||||
|
ResourceManager.getClusterTimeStamp(), startedon);
|
||||||
|
assertTrue("stated doesn't match: " + state,
|
||||||
|
state.matches(STATE.INITED.toString()));
|
||||||
|
assertTrue("HA state doesn't match: " + haState,
|
||||||
|
haState.matches("INITIALIZING"));
|
||||||
|
|
||||||
|
WebServicesTestUtils.checkStringMatch("hadoopVersionBuiltOn",
|
||||||
|
VersionInfo.getDate(), hadoopVersionBuiltOn);
|
||||||
|
WebServicesTestUtils.checkStringEqual("hadoopBuildVersion",
|
||||||
|
VersionInfo.getBuildVersion(), hadoopBuildVersion);
|
||||||
|
WebServicesTestUtils.checkStringMatch("hadoopVersion",
|
||||||
|
VersionInfo.getVersion(), hadoopVersion);
|
||||||
|
|
||||||
|
WebServicesTestUtils.checkStringMatch("resourceManagerVersionBuiltOn",
|
||||||
|
YarnVersionInfo.getDate(),
|
||||||
|
resourceManagerVersionBuiltOn);
|
||||||
|
WebServicesTestUtils.checkStringEqual("resourceManagerBuildVersion",
|
||||||
|
YarnVersionInfo.getBuildVersion(), resourceManagerBuildVersion);
|
||||||
|
WebServicesTestUtils.checkStringMatch("resourceManagerVersion",
|
||||||
|
YarnVersionInfo.getVersion(),
|
||||||
|
resourceManagerVersion);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue