Hello - I am in the process of validating some security settings for Zeppelin (0.7.3 w/ HDP 2.6.3)
According to: https://zeppelin.apache.org/docs/0.7.0/install/configuration.html zeppelin.server.allowed.origins can be set to only allow requests that is coming from a specific host. I am not sure if I am using this correctly. My HDP system is: my.system.com, running http://my.system.com:9995 - in zeppelin I've updated the advanced zeppelin-config with : zeppelin.server.allowed.origins=https://my.system.com ---------- After restarting - to test: Use curl from my machine: mydesktop.system.com 1. Get a JSESSIONID: curl -i -X POST "http://my.system.com:9995/api/login?password= <passwd>&userName=<uid>" -> retrieve JSESSIONID from cookie. 2. Try a query against api/notebook. (I can get at the security curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; HttpOnly' http://my.system.com:9995/api/notebook -> This works ... should it? 3. Attempt to add random headers... curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com' -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com' http:// my.system.com:9995/api/notebook -> This still works... should it ? The verbose output shows that Host, Referer and Origin has been passed, yet I am not seeing any sort of blocking... > Host: bogus1.referer.com > User-Agent: curl/7.54.0 > Accept: */* > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly > Origin: bogus2.referer.com > Connection: keep-alive > Referer: http://bogus3.referer.com < HTTP/1.1 200 OK < Date: Monday, June 25, 2018 3:16:32 PM PDT < Access-Control-Allow-Origin: < Access-Control-Allow-Credentials: true < Access-Control-Allow-Headers: authorization,Content-Type < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE < X-FRAME-OPTIONS: SAMEORIGIN < X-XSS-Protection: 1 < Content-Type: application/json < Date: Mon, 25 Jun 2018 22:16:32 GMT < Content-Length: 75 < Server: Jetty(9.2.15.v20160210) < Thoughts? Ying
