You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by mo...@apache.org on 2017/02/04 00:17:10 UTC

zeppelin git commit: [ZEPPELIN-2014] Jetty Directory Listing on app, assets, components, and scripts

Repository: zeppelin
Updated Branches:
  refs/heads/master 20fd2a9c8 -> e42a8c5c1


[ZEPPELIN-2014] Jetty Directory Listing on app, assets, components, and scripts

### What is this PR for?
Added property for enable/disable public access to directories on server from Web

### What type of PR is it?
[Bug Fix]

### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2014

### How should this be tested?
Run application and try get list of files in app directory from web.
You will see a response with the code 403. Previously, we saw all files in the directory.
Change property "zeppelin.server.default.dir.allowed" to true and restart server.
Try again, all files should be visible.

### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Yes

Author: Viktor Boginskii <Vi...@epam.com>

Closes #1962 from vboginskii/ZEPPELIN-2014 and squashes the following commits:

c06ec30 [Viktor Boginskii] [ZEPPELIN-2014] Added property for control public access to directories on server.


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/e42a8c5c
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/e42a8c5c
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/e42a8c5c

Branch: refs/heads/master
Commit: e42a8c5c1689ffec6e7ea8df5a8f21d61e04e2ef
Parents: 20fd2a9
Author: Viktor Boginskii <Vi...@epam.com>
Authored: Mon Jan 30 19:15:27 2017 +0200
Committer: Lee moon soo <mo...@apache.org>
Committed: Sat Feb 4 09:16:42 2017 +0900

----------------------------------------------------------------------
 conf/zeppelin-site.xml.template                 |  6 ++
 docs/install/configuration.md                   |  6 ++
 .../apache/zeppelin/server/ZeppelinServer.java  |  3 +
 .../apache/zeppelin/security/DirAccessTest.java | 59 ++++++++++++++++++++
 .../zeppelin/conf/ZeppelinConfiguration.java    |  3 +-
 5 files changed, 76 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/e42a8c5c/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index cbe0b5c..bd8d7dd 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -304,4 +304,10 @@
   <description>Size in characters of the maximum text message to be received by websocket. Defaults to 1024000</description>
 </property>
 
+<property>
+  <name>zeppelin.server.default.dir.allowed</name>
+  <value>false</value>
+  <description>Enable directory listings on server.</description>
+</property>
+
 </configuration>

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/e42a8c5c/docs/install/configuration.md
----------------------------------------------------------------------
diff --git a/docs/install/configuration.md b/docs/install/configuration.md
index 56f6404..befb520 100644
--- a/docs/install/configuration.md
+++ b/docs/install/configuration.md
@@ -260,6 +260,12 @@ If both are defined, then the **environment variables** will take priority.
     <td>1024000</td>
     <td>Size (in characters) of the maximum text message that can be received by websocket.</td>
   </tr>
+  <tr>
+    <td>ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED</td>
+    <td>zeppelin.server.default.dir.allowed</td>
+    <td>false</td>
+    <td>Enable directory listings on server.</td>
+  </tr>
 </table>
 
 

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/e42a8c5c/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index 371d0a1..0657127 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -346,6 +346,9 @@ public class ZeppelinServer extends Application {
     webApp.addFilter(new FilterHolder(CorsFilter.class), "/*",
         EnumSet.allOf(DispatcherType.class));
 
+    webApp.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed",
+            Boolean.toString(conf.getBoolean(ConfVars.ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED)));
+
     return webApp;
 
   }

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/e42a8c5c/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java b/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java
new file mode 100644
index 0000000..820d0ba
--- /dev/null
+++ b/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zeppelin.security;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpStatus;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.zeppelin.conf.ZeppelinConfiguration;
+import org.apache.zeppelin.rest.AbstractTestRestApi;
+import org.junit.Test;
+
+public class DirAccessTest extends AbstractTestRestApi {
+
+  @Test
+  public void testDirAccessForbidden() throws Exception {
+    System.setProperty(ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED.getVarName(), "false");
+    AbstractTestRestApi.startUpWithAuthenticationEnable();
+    HttpClient httpClient = new HttpClient();
+    GetMethod getMethod = new GetMethod(getUrlToTest() + "/app/");
+    httpClient.executeMethod(getMethod);
+    AbstractTestRestApi.shutDown();
+    assert getMethod.getStatusCode() == HttpStatus.SC_FORBIDDEN;
+  }
+
+  @Test
+  public void testDirAccessOk() throws Exception {
+    System.setProperty(ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED.getVarName(), "true");
+    AbstractTestRestApi.startUpWithAuthenticationEnable();
+    HttpClient httpClient = new HttpClient();
+    GetMethod getMethod = new GetMethod(getUrlToTest() + "/app/");
+    httpClient.executeMethod(getMethod);
+    AbstractTestRestApi.shutDown();
+    assert getMethod.getStatusCode() == HttpStatus.SC_OK;
+  }
+
+  protected static String getUrlToTest() {
+    String url = "http://localhost:8080";
+    if (System.getProperty("url") != null) {
+      url = System.getProperty("url");
+    }
+    return url;
+  }
+}
+

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/e42a8c5c/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 259f948..2c8d91c 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -607,7 +607,8 @@ public class ZeppelinConfiguration extends XMLConfiguration {
     ZEPPELIN_ALLOWED_ORIGINS("zeppelin.server.allowed.origins", "*"),
     ZEPPELIN_ANONYMOUS_ALLOWED("zeppelin.anonymous.allowed", true),
     ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
-    ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000");
+    ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
+    ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false);
 
     private String varName;
     @SuppressWarnings("rawtypes")