You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/10/13 02:38:28 UTC

Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------

Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.


Bugs: ABMARI-13351
    https://issues.apache.org/jira/browse/ABMARI-13351


Repository: ambari


Description
-------

The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.

The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```

#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```


Diffs
-----

  ambari-server/conf/unix/ambari.properties 68cbf65 
  ambari-server/conf/windows/ambari.properties 6a98a63 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 
  ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af 
  ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 
  ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af 

Diff: https://reviews.apache.org/r/39251/diff/


Testing
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: PENDING


Thanks,

Robert Levas

Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------

(Updated Oct. 13, 2015, 3:55 p.m.)


Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.


Bugs: AMBARI-13351
    https://issues.apache.org/jira/browse/AMBARI-13351


Repository: ambari


Description
-------

The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.

The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```

#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```


Diffs
-----

  ambari-server/conf/unix/ambari.properties 68cbf65 
  ambari-server/conf/windows/ambari.properties 6a98a63 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 
  ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af 
  ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 
  ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af 

Diff: https://reviews.apache.org/r/39251/diff/


Testing
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: 

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:37 h
[INFO] Finished at: 2015-10-13T15:58:17+00:00
[INFO] Final Memory: 47M/561M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas

Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------

(Updated Oct. 13, 2015, 3:54 p.m.)


Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.


Bugs: ABMARI-13351
    https://issues.apache.org/jira/browse/ABMARI-13351


Repository: ambari


Description
-------

The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.

The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```

#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```


Diffs (updated)
-----

  ambari-server/conf/unix/ambari.properties 68cbf65 
  ambari-server/conf/windows/ambari.properties 6a98a63 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 
  ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af 
  ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 
  ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af 

Diff: https://reviews.apache.org/r/39251/diff/


Testing
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: 

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:37 h
[INFO] Finished at: 2015-10-13T15:58:17+00:00
[INFO] Final Memory: 47M/561M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas

Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Posted by Jonathan Hurley <jh...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/#review102514
-----------------------------------------------------------

Ship it!



ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java (line 35)
<https://reviews.apache.org/r/39251/#comment160195>

    Documentation.


- Jonathan Hurley


On Oct. 13, 2015, noon, Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39251/
> -----------------------------------------------------------
> 
> (Updated Oct. 13, 2015, noon)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.
> 
> 
> Bugs: ABMARI-13351
>     https://issues.apache.org/jira/browse/ABMARI-13351
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
> 
> The relevant headers are:
> - Strict-Transport-Security
> - X-Frame-Options
> - X-XSS-Protection
> 
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
> 
> The default value for this headers should be as follows:
> - Strict-Transport-Security: max-age=31536000
> - X-Frame-Options: SAMEORIGIN
> - X-XSS-Protection: 1; mode=block
> 
> Strict-Transport-Security should only be turned on if SSL is enabled.
> 
> The relevant Ambari properties should be:
> - Strict-Transport-Security: views.http.strict-transport-security
> - X-Frame-Options: views.http.x-frame-options
> - X-XSS-Protection: views.http.x-xss-protection
> 
> By setting any of these to be empty, the header is to be turned off (or not set).
> 
> For example:
> #Sets Strict-Transport-Security to a custom value
> ```
> views.http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
> 
> #Turns Strict-Transport-Security off
> ```
> views.http.strict-transport-security=
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ambari.properties 68cbf65 
>   ambari-server/conf/windows/ambari.properties 6a98a63 
>   ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 
>   ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 
>   ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af 
> 
> Diff: https://reviews.apache.org/r/39251/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results: PASSED
> 
> # Jenkins test result: 
> 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:37 h
> [INFO] Finished at: 2015-10-13T15:58:17+00:00
> [INFO] Final Memory: 47M/561M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------

(Updated Oct. 13, 2015, noon)


Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.


Bugs: ABMARI-13351
    https://issues.apache.org/jira/browse/ABMARI-13351


Repository: ambari


Description
-------

The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.

The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```

#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```


Diffs
-----

  ambari-server/conf/unix/ambari.properties 68cbf65 
  ambari-server/conf/windows/ambari.properties 6a98a63 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 
  ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af 
  ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 
  ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af 

Diff: https://reviews.apache.org/r/39251/diff/


Testing (updated)
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: 

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:37 h
[INFO] Finished at: 2015-10-13T15:58:17+00:00
[INFO] Final Memory: 47M/561M
[INFO] ------------------------------------------------------------------------


Thanks,

Robert Levas

Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/
-----------------------------------------------------------

(Updated Oct. 13, 2015, 9:59 a.m.)


Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle.


Changes
-------

Fixed unit test issue.


Bugs: ABMARI-13351
    https://issues.apache.org/jira/browse/ABMARI-13351


Repository: ambari


Description
-------

The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.

The relevant headers are:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
- Strict-Transport-Security: views.http.strict-transport-security
- X-Frame-Options: views.http.x-frame-options
- X-XSS-Protection: views.http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
#Sets Strict-Transport-Security to a custom value
```
views.http.strict-transport-security=max-age=31536000; includeSubDomains
```

#Turns Strict-Transport-Security off
```
views.http.strict-transport-security=
```


Diffs (updated)
-----

  ambari-server/conf/unix/ambari.properties 68cbf65 
  ambari-server/conf/windows/ambari.properties 6a98a63 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 
  ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION 
  ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af 
  ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 
  ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af 

Diff: https://reviews.apache.org/r/39251/diff/


Testing
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: PENDING


Thanks,

Robert Levas