HDFS-12158. Secondary Namenode's web interface lack configs for X-FRAME-OPTIONS protection. Contributed by Mukul Kumar Singh.

This commit is contained in:
Anu Engineer 2017-07-19 10:29:06 -07:00
parent 04ff412dab
commit 413b23eb04
2 changed files with 32 additions and 0 deletions

View File

@ -479,6 +479,16 @@ public void startInfoServer() throws IOException {
DFS_SECONDARY_NAMENODE_KERBEROS_INTERNAL_SPNEGO_PRINCIPAL_KEY,
DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY);
final boolean xFrameEnabled = conf.getBoolean(
DFSConfigKeys.DFS_XFRAME_OPTION_ENABLED,
DFSConfigKeys.DFS_XFRAME_OPTION_ENABLED_DEFAULT);
final String xFrameOptionValue = conf.getTrimmed(
DFSConfigKeys.DFS_XFRAME_OPTION_VALUE,
DFSConfigKeys.DFS_XFRAME_OPTION_VALUE_DEFAULT);
builder.configureXFrame(xFrameEnabled).setXFrameOption(xFrameOptionValue);
infoServer = builder.build();
infoServer.setAttribute("secondary.name.node", this);
infoServer.setAttribute("name.system.image", checkpointImage);

View File

@ -18,6 +18,7 @@
package org.apache.hadoop.hdfs.server.namenode;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.hdfs.HdfsConfiguration;
import org.apache.hadoop.http.HttpServer2;
@ -32,6 +33,7 @@
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URI;
/**
* A class to test the XFrameoptions of Namenode HTTP Server. We are not reusing
@ -94,4 +96,24 @@ private HttpURLConnection createServerwithXFrame(boolean enabled, String
conn.connect();
return conn;
}
@Test
public void testSecondaryNameNodeXFrame() throws IOException {
Configuration conf = new HdfsConfiguration();
FileSystem.setDefaultUri(conf, "hdfs://localhost:0");
SecondaryNameNode sn = new SecondaryNameNode(conf);
sn.startInfoServer();
InetSocketAddress httpAddress = SecondaryNameNode.getHttpAddress(conf);
URL url = URI.create("http://" + httpAddress.getHostName()
+ ":" + httpAddress.getPort()).toURL();
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.connect();
String xfoHeader = conn.getHeaderField("X-FRAME-OPTIONS");
Assert.assertTrue("X-FRAME-OPTIONS is absent in the header",
xfoHeader != null);
Assert.assertTrue(xfoHeader.endsWith(HttpServer2.XFrameOption
.SAMEORIGIN.toString()));
}
}