You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Ying Chen <yi...@gmail.com> on 2018/06/25 22:37:44 UTC
zeppelin.server.allowed.origins - does not seem to work with Zeppelin
REST API
Hello -
I am in the process of validating some security settings for Zeppelin
(0.7.3 w/ HDP 2.6.3)
According to:
https://zeppelin.apache.org/docs/0.7.0/install/configuration.html
zeppelin.server.allowed.origins can be set to only allow requests that is
coming from a specific host.
I am not sure if I am using this correctly.
My HDP system is: my.system.com,
running http://my.system.com:9995 - in zeppelin
I've updated the advanced zeppelin-config with :
zeppelin.server.allowed.origins=https://my.system.com
----------
After restarting - to test:
Use curl from my machine: mydesktop.system.com
1. Get a JSESSIONID:
curl -i -X POST "http://my.system.com:9995/api/login?password=
<passwd>&userName=<uid>"
-> retrieve JSESSIONID from cookie.
2. Try a query against api/notebook. (I can get at the security
curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
HttpOnly' http://my.system.com:9995/api/notebook
-> This works ... should it?
3. Attempt to add random headers...
curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com' -H
'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com' http://
my.system.com:9995/api/notebook
-> This still works... should it ?
The verbose output shows that Host, Referer and Origin has been passed, yet
I am not seeing any sort of blocking...
> Host: bogus1.referer.com
> User-Agent: curl/7.54.0
> Accept: */*
> Cookie: JSESSIONID=<sid>; Path=/; HttpOnly
> Origin: bogus2.referer.com
> Connection: keep-alive
> Referer: http://bogus3.referer.com
< HTTP/1.1 200 OK
< Date: Monday, June 25, 2018 3:16:32 PM PDT
< Access-Control-Allow-Origin:
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: authorization,Content-Type
< Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
< X-FRAME-OPTIONS: SAMEORIGIN
< X-XSS-Protection: 1
< Content-Type: application/json
< Date: Mon, 25 Jun 2018 22:16:32 GMT
< Content-Length: 75
< Server: Jetty(9.2.15.v20160210)
<
Thoughts?
Ying
Re: zeppelin.server.allowed.origins - does not seem to work with
Zeppelin REST API
Posted by Prabhjyot Singh <pr...@gmail.com>.
Hi Ying,
AFAIK, CORS headers are something to do with browser
implementation/support, here is a list of browsers that support this
https://caniuse.com/#feat=cors.
So, to answer your question in short, no, CORS header does not provide
protection over curl.
On Fri, 29 Jun 2018 at 10:31, Ying Chen <yi...@gmail.com> wrote:
> Hello -
>
> So, what you are saying is that - this is something that is protected over
> web socket, but not thru the HTTP endpoint?
> curl just exercises an http call.....
>
> Ying
>
>
>
> On Mon, Jun 25, 2018 at 9:19 PM, Prabhjyot Singh <prabhjyotsingh@gmail.com
> > wrote:
>
>> Hi Ying,
>>
>> This config "zeppelin.server.allowed.origins" is to do with setting CORS
>> header, which means this will continue to work over curl, but will get
>> blocked over any browsers. I've attached a screenshot for reference.
>>
>>
>> [image: Screenshot from 2018-06-26 09-48-23.png]
>>
>>
>> Let me know if this helps.
>>
>> On Tue, 26 Jun 2018 at 04:07, Ying Chen <yi...@gmail.com> wrote:
>>
>>> Hello -
>>>
>>> I am in the process of validating some security settings for Zeppelin
>>> (0.7.3 w/ HDP 2.6.3)
>>>
>>> According to:
>>> https://zeppelin.apache.org/docs/0.7.0/install/configuration.html
>>> zeppelin.server.allowed.origins can be set to only allow requests that
>>> is coming from a specific host.
>>>
>>> I am not sure if I am using this correctly.
>>>
>>> My HDP system is: my.system.com,
>>> running http://my.system.com:9995 - in zeppelin
>>>
>>> I've updated the advanced zeppelin-config with :
>>> zeppelin.server.allowed.origins=https://my.system.com
>>>
>>> ----------
>>> After restarting - to test:
>>>
>>> Use curl from my machine: mydesktop.system.com
>>>
>>> 1. Get a JSESSIONID:
>>> curl -i -X POST "http://my.system.com:9995/api/login?password=
>>> <passwd>&userName=<uid>"
>>> -> retrieve JSESSIONID from cookie.
>>>
>>> 2. Try a query against api/notebook. (I can get at the security
>>> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
>>> HttpOnly' http://my.system.com:9995/api/notebook
>>> -> This works ... should it?
>>>
>>> 3. Attempt to add random headers...
>>> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
>>> HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com'
>>> -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com
>>> ' http://my.system.com:9995/api/notebook
>>>
>>> -> This still works... should it ?
>>>
>>> The verbose output shows that Host, Referer and Origin has been passed,
>>> yet I am not seeing any sort of blocking...
>>>
>>> > Host: bogus1.referer.com
>>> > User-Agent: curl/7.54.0
>>> > Accept: */*
>>> > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly
>>> > Origin: bogus2.referer.com
>>> > Connection: keep-alive
>>> > Referer: http://bogus3.referer.com
>>>
>>> < HTTP/1.1 200 OK
>>> < Date: Monday, June 25, 2018 3:16:32 PM PDT
>>> < Access-Control-Allow-Origin:
>>> < Access-Control-Allow-Credentials: true
>>> < Access-Control-Allow-Headers: authorization,Content-Type
>>> < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
>>> < X-FRAME-OPTIONS: SAMEORIGIN
>>> < X-XSS-Protection: 1
>>> < Content-Type: application/json
>>> < Date: Mon, 25 Jun 2018 22:16:32 GMT
>>> < Content-Length: 75
>>> < Server: Jetty(9.2.15.v20160210)
>>> <
>>>
>>>
>>> Thoughts?
>>>
>>> Ying
>>>
>>>
>>
>> --
>> Thankx and Regards,
>>
>> Prabhjyot Singh
>>
>
>
--
Thankx and Regards,
Prabhjyot Singh
Re: zeppelin.server.allowed.origins - does not seem to work with
Zeppelin REST API
Posted by Ying Chen <yi...@gmail.com>.
Hello -
So, what you are saying is that - this is something that is protected over
web socket, but not thru the HTTP endpoint?
curl just exercises an http call.....
Ying
On Mon, Jun 25, 2018 at 9:19 PM, Prabhjyot Singh <pr...@gmail.com>
wrote:
> Hi Ying,
>
> This config "zeppelin.server.allowed.origins" is to do with setting CORS
> header, which means this will continue to work over curl, but will get
> blocked over any browsers. I've attached a screenshot for reference.
>
>
> [image: Screenshot from 2018-06-26 09-48-23.png]
>
>
> Let me know if this helps.
>
> On Tue, 26 Jun 2018 at 04:07, Ying Chen <yi...@gmail.com> wrote:
>
>> Hello -
>>
>> I am in the process of validating some security settings for Zeppelin
>> (0.7.3 w/ HDP 2.6.3)
>>
>> According to: https://zeppelin.apache.org/docs/0.7.0/install/
>> configuration.html
>> zeppelin.server.allowed.origins can be set to only allow requests that
>> is coming from a specific host.
>>
>> I am not sure if I am using this correctly.
>>
>> My HDP system is: my.system.com,
>> running http://my.system.com:9995 - in zeppelin
>>
>> I've updated the advanced zeppelin-config with :
>> zeppelin.server.allowed.origins=https://my.system.com
>>
>> ----------
>> After restarting - to test:
>>
>> Use curl from my machine: mydesktop.system.com
>>
>> 1. Get a JSESSIONID:
>> curl -i -X POST "http://my.system.com:9995/api/login?password=<passwd>&
>> userName=<uid>"
>> -> retrieve JSESSIONID from cookie.
>>
>> 2. Try a query against api/notebook. (I can get at the security
>> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
>> HttpOnly' http://my.system.com:9995/api/notebook
>> -> This works ... should it?
>>
>> 3. Attempt to add random headers...
>> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
>> HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com'
>> -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com'
>> http://my.system.com:9995/api/notebook
>>
>> -> This still works... should it ?
>>
>> The verbose output shows that Host, Referer and Origin has been passed,
>> yet I am not seeing any sort of blocking...
>>
>> > Host: bogus1.referer.com
>> > User-Agent: curl/7.54.0
>> > Accept: */*
>> > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly
>> > Origin: bogus2.referer.com
>> > Connection: keep-alive
>> > Referer: http://bogus3.referer.com
>>
>> < HTTP/1.1 200 OK
>> < Date: Monday, June 25, 2018 3:16:32 PM PDT
>> < Access-Control-Allow-Origin:
>> < Access-Control-Allow-Credentials: true
>> < Access-Control-Allow-Headers: authorization,Content-Type
>> < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
>> < X-FRAME-OPTIONS: SAMEORIGIN
>> < X-XSS-Protection: 1
>> < Content-Type: application/json
>> < Date: Mon, 25 Jun 2018 22:16:32 GMT
>> < Content-Length: 75
>> < Server: Jetty(9.2.15.v20160210)
>> <
>>
>>
>> Thoughts?
>>
>> Ying
>>
>>
>
> --
> Thankx and Regards,
>
> Prabhjyot Singh
>
Re: zeppelin.server.allowed.origins - does not seem to work with
Zeppelin REST API
Posted by Prabhjyot Singh <pr...@gmail.com>.
Hi Ying,
This config "zeppelin.server.allowed.origins" is to do with setting CORS
header, which means this will continue to work over curl, but will get
blocked over any browsers. I've attached a screenshot for reference.
[image: Screenshot from 2018-06-26 09-48-23.png]
Let me know if this helps.
On Tue, 26 Jun 2018 at 04:07, Ying Chen <yi...@gmail.com> wrote:
> Hello -
>
> I am in the process of validating some security settings for Zeppelin
> (0.7.3 w/ HDP 2.6.3)
>
> According to:
> https://zeppelin.apache.org/docs/0.7.0/install/configuration.html
> zeppelin.server.allowed.origins can be set to only allow requests that is
> coming from a specific host.
>
> I am not sure if I am using this correctly.
>
> My HDP system is: my.system.com,
> running http://my.system.com:9995 - in zeppelin
>
> I've updated the advanced zeppelin-config with :
> zeppelin.server.allowed.origins=https://my.system.com
>
> ----------
> After restarting - to test:
>
> Use curl from my machine: mydesktop.system.com
>
> 1. Get a JSESSIONID:
> curl -i -X POST "http://my.system.com:9995/api/login?password=
> <passwd>&userName=<uid>"
> -> retrieve JSESSIONID from cookie.
>
> 2. Try a query against api/notebook. (I can get at the security
> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
> HttpOnly' http://my.system.com:9995/api/notebook
> -> This works ... should it?
>
> 3. Attempt to add random headers...
> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/;
> HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com'
> -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com
> ' http://my.system.com:9995/api/notebook
>
> -> This still works... should it ?
>
> The verbose output shows that Host, Referer and Origin has been passed,
> yet I am not seeing any sort of blocking...
>
> > Host: bogus1.referer.com
> > User-Agent: curl/7.54.0
> > Accept: */*
> > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly
> > Origin: bogus2.referer.com
> > Connection: keep-alive
> > Referer: http://bogus3.referer.com
>
> < HTTP/1.1 200 OK
> < Date: Monday, June 25, 2018 3:16:32 PM PDT
> < Access-Control-Allow-Origin:
> < Access-Control-Allow-Credentials: true
> < Access-Control-Allow-Headers: authorization,Content-Type
> < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
> < X-FRAME-OPTIONS: SAMEORIGIN
> < X-XSS-Protection: 1
> < Content-Type: application/json
> < Date: Mon, 25 Jun 2018 22:16:32 GMT
> < Content-Length: 75
> < Server: Jetty(9.2.15.v20160210)
> <
>
>
> Thoughts?
>
> Ying
>
>
--
Thankx and Regards,
Prabhjyot Singh