You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by GitBox <gi...@apache.org> on 2020/03/13 17:28:34 UTC
[GitHub] [drill] ihuzenko opened a new pull request #2025: DRILL-7626: Add
ability to set HTTP response headers
ihuzenko opened a new pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025
# [DRILL-XXXX](https://issues.apache.org/jira/browse/DRILL-7626): Add ability to set HTTP response headers
## Description
1. Created ResponseHeadersSettingFilter for adding configured values to each response.
2. Now for when drill.exec.http.ssl_enabled is set to true, users can add following headers
to improve security:
"X-XSS-Protection" : "1; mode=block",
"X-Content-Type-Options" : "nosniff",
"Strict-Transport-Security" : "max-age=31536000;includeSubDomains",
"Content-Security-Policy" : "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
## Documentation
Adding of new response headers now available in drill-override.conf under key drill.exec.http.jetty.server.response.headers . For example:
```
drill.exec: {
cluster-id: "drillbits1",
zk.connect: "localhost:2181",
http: {
ssl_enabled: true,
jetty.server.response.headers: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Strict-Transport-Security": "max-age=31536000;includeSubDomains",
"Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
}
}
}
```
## Testing
Tested manually with Web UI.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] arina-ielchiieva commented on issue #2025: DRILL-7626: Add
ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
arina-ielchiieva commented on issue #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#issuecomment-599595219
@ihuzenko thanks for adding unit test, +1 from my side.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] paul-rogers commented on issue #2025: DRILL-7626: Add
ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
paul-rogers commented on issue #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#issuecomment-599107346
Very cool feature, thanks!
I wonder, is it possible to add a unit test for this? In working with the plugin registry, I notice we have few (or no) tests of the UI, and this caused lots of wasted time from reviewers. If we have tests that act as a client to Drill, can we add a quick test for this feature? If not, can we add something so that it is easier to ask others to add unit tests? I think @dobesv, may have added something recently.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] ihuzenko commented on a change in pull request #2025:
DRILL-7626: Add ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
ihuzenko commented on a change in pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#discussion_r392871536
##########
File path: distribution/src/main/resources/drill-override-example.conf
##########
@@ -176,6 +176,15 @@ drill.exec: {
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
+ },
+ response: {
+ # any response headers with constant values may be configured like this
+ headers: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
+ "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
Review comment:
Thanks for noticing it. Created new ticket [DRILL-7642](https://issues.apache.org/jira/browse/DRILL-7642).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] arina-ielchiieva commented on a change in pull request
#2025: DRILL-7626: Add ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
arina-ielchiieva commented on a change in pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#discussion_r393045431
##########
File path: distribution/src/main/resources/drill-override-example.conf
##########
@@ -176,6 +176,15 @@ drill.exec: {
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
+ },
+ response: {
+ # any response headers with constant values may be configured like this
+ headers: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
+ "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
Review comment:
Perfect, thanks.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] ihuzenko merged pull request #2025: DRILL-7626: Add ability
to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
ihuzenko merged pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] arina-ielchiieva commented on a change in pull request
#2025: DRILL-7626: Add ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
arina-ielchiieva commented on a change in pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#discussion_r392673072
##########
File path: distribution/src/main/resources/drill-override-example.conf
##########
@@ -176,6 +176,15 @@ drill.exec: {
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
+ },
+ response: {
+ # any response headers with constant values may be configured like this
+ headers: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
+ "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
Review comment:
Could you please create Jira to remove inline from scripts and styles and leave comment here with reference to this Jira indicating why we have to allow inline for now? Thanks.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] ihuzenko commented on a change in pull request #2025:
DRILL-7626: Add ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
ihuzenko commented on a change in pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#discussion_r393044939
##########
File path: distribution/src/main/resources/drill-override-example.conf
##########
@@ -176,6 +176,15 @@ drill.exec: {
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
+ },
+ response: {
+ # any response headers with constant values may be configured like this
+ headers: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
+ "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
Review comment:
done
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] arina-ielchiieva commented on a change in pull request
#2025: DRILL-7626: Add ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
arina-ielchiieva commented on a change in pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#discussion_r392673072
##########
File path: distribution/src/main/resources/drill-override-example.conf
##########
@@ -176,6 +176,15 @@ drill.exec: {
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
+ },
+ response: {
+ # any response headers with constant values may be configured like this
+ headers: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
+ "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
Review comment:
Could you please create Jira to remove inline from scripts and styles and leave comment here with reference to this Jira indicating why we have to allow inline for now. Thanks.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] paul-rogers commented on issue #2025: DRILL-7626: Add
ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
paul-rogers commented on issue #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#issuecomment-600977062
@ihuzenko, a bit late to the party, but thanks for adding the unit test!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] ihuzenko commented on issue #2025: DRILL-7626: Add ability
to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
ihuzenko commented on issue #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#issuecomment-599588649
Hello @paul-rogers , I've added a simple test for the feature, please take a look.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [drill] arina-ielchiieva commented on a change in pull request
#2025: DRILL-7626: Add ability to set HTTP response headers
Posted by GitBox <gi...@apache.org>.
arina-ielchiieva commented on a change in pull request #2025: DRILL-7626: Add ability to set HTTP response headers
URL: https://github.com/apache/drill/pull/2025#discussion_r393000402
##########
File path: distribution/src/main/resources/drill-override-example.conf
##########
@@ -176,6 +176,15 @@ drill.exec: {
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
+ },
+ response: {
+ # any response headers with constant values may be configured like this
+ headers: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
+ "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
Review comment:
Thanks. Please don't forget to add comment as well :)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services