You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/10/13 02:38:28 UTC
Review Request 39251: Security-related HTTP headers should be set
separately for Ambari Views then for Ambari server UI
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
Bugs: ABMARI-13351
https://issues.apache.org/jira/browse/ABMARI-13351
Repository: ambari
Description
-------
The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```
#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```
Diffs
-----
ambari-server/conf/unix/ambari.properties 68cbf65
ambari-server/conf/windows/ambari.properties 6a98a63
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494
ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0
ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af
Diff: https://reviews.apache.org/r/39251/diff/
Testing
-------
Manually tested
# Local test results: PASSED
# Jenkins test result: PENDING
Thanks,
Robert Levas
Re: Review Request 39251: Security-related HTTP headers should be set
separately for Ambari Views then for Ambari server UI
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------
(Updated Oct. 13, 2015, 3:55 p.m.)
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
Bugs: AMBARI-13351
https://issues.apache.org/jira/browse/AMBARI-13351
Repository: ambari
Description
-------
The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```
#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```
Diffs
-----
ambari-server/conf/unix/ambari.properties 68cbf65
ambari-server/conf/windows/ambari.properties 6a98a63
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494
ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0
ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af
Diff: https://reviews.apache.org/r/39251/diff/
Testing
-------
Manually tested
# Local test results: PASSED
# Jenkins test result:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:37 h
[INFO] Finished at: 2015-10-13T15:58:17+00:00
[INFO] Final Memory: 47M/561M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 39251: Security-related HTTP headers should be set
separately for Ambari Views then for Ambari server UI
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------
(Updated Oct. 13, 2015, 3:54 p.m.)
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
Bugs: ABMARI-13351
https://issues.apache.org/jira/browse/ABMARI-13351
Repository: ambari
Description
-------
The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```
#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```
Diffs (updated)
-----
ambari-server/conf/unix/ambari.properties 68cbf65
ambari-server/conf/windows/ambari.properties 6a98a63
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494
ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0
ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af
Diff: https://reviews.apache.org/r/39251/diff/
Testing
-------
Manually tested
# Local test results: PASSED
# Jenkins test result:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:37 h
[INFO] Finished at: 2015-10-13T15:58:17+00:00
[INFO] Final Memory: 47M/561M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 39251: Security-related HTTP headers should be set
separately for Ambari Views then for Ambari server UI
Posted by Jonathan Hurley <jh...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/#review102514
-----------------------------------------------------------
Ship it!
ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java (line 35)
<https://reviews.apache.org/r/39251/#comment160195>
Documentation.
- Jonathan Hurley
On Oct. 13, 2015, noon, Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39251/
> -----------------------------------------------------------
>
> (Updated Oct. 13, 2015, noon)
>
>
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
>
>
> Bugs: ABMARI-13351
> https://issues.apache.org/jira/browse/ABMARI-13351
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
>
> The relevant headers are:
> - Strict-Transport-Security
> - X-Frame-Options
> - X-XSS-Protection
>
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
>
> The default value for this headers should be as follows:
> - Strict-Transport-Security: max-age=31536000
> - X-Frame-Options: SAMEORIGIN
> - X-XSS-Protection: 1; mode=block
>
> Strict-Transport-Security should only be turned on if SSL is enabled.
>
> The relevant Ambari properties should be:
> - Strict-Transport-Security: views.http.strict-transport-security
> - X-Frame-Options: views.http.x-frame-options
> - X-XSS-Protection: views.http.x-xss-protection
>
> By setting any of these to be empty, the header is to be turned off (or not set).
>
> For example:
> #Sets Strict-Transport-Security to a custom value
> ```
> views.http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
>
> #Turns Strict-Transport-Security off
> ```
> views.http.strict-transport-security=
> ```
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/ambari.properties 68cbf65
> ambari-server/conf/windows/ambari.properties 6a98a63
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494
> ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION
> ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0
> ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af
>
> Diff: https://reviews.apache.org/r/39251/diff/
>
>
> Testing
> -------
>
> Manually tested
>
> # Local test results: PASSED
>
> # Jenkins test result:
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:37 h
> [INFO] Finished at: 2015-10-13T15:58:17+00:00
> [INFO] Final Memory: 47M/561M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 39251: Security-related HTTP headers should be set
separately for Ambari Views then for Ambari server UI
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------
(Updated Oct. 13, 2015, noon)
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
Bugs: ABMARI-13351
https://issues.apache.org/jira/browse/ABMARI-13351
Repository: ambari
Description
-------
The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```
#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```
Diffs
-----
ambari-server/conf/unix/ambari.properties 68cbf65
ambari-server/conf/windows/ambari.properties 6a98a63
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494
ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0
ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af
Diff: https://reviews.apache.org/r/39251/diff/
Testing (updated)
-------
Manually tested
# Local test results: PASSED
# Jenkins test result:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:37 h
[INFO] Finished at: 2015-10-13T15:58:17+00:00
[INFO] Final Memory: 47M/561M
[INFO] ------------------------------------------------------------------------
Thanks,
Robert Levas
Re: Review Request 39251: Security-related HTTP headers should be set
separately for Ambari Views then for Ambari server UI
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------
(Updated Oct. 13, 2015, 9:59 a.m.)
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
Changes
-------
Fixed unit test issue.
Bugs: ABMARI-13351
https://issues.apache.org/jira/browse/ABMARI-13351
Repository: ambari
Description
-------
The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```
#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```
Diffs (updated)
-----
ambari-server/conf/unix/ambari.properties 68cbf65
ambari-server/conf/windows/ambari.properties 6a98a63
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494
ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0
ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af
Diff: https://reviews.apache.org/r/39251/diff/
Testing
-------
Manually tested
# Local test results: PASSED
# Jenkins test result: PENDING
Thanks,
Robert Levas