Hi Ying, This config "zeppelin.server.allowed.origins" is to do with setting CORS header, which means this will continue to work over curl, but will get blocked over any browsers. I've attached a screenshot for reference.
[image: Screenshot from 2018-06-26 09-48-23.png] Let me know if this helps. On Tue, 26 Jun 2018 at 04:07, Ying Chen <ying.in...@gmail.com> wrote: > Hello - > > I am in the process of validating some security settings for Zeppelin > (0.7.3 w/ HDP 2.6.3) > > According to: > https://zeppelin.apache.org/docs/0.7.0/install/configuration.html > zeppelin.server.allowed.origins can be set to only allow requests that is > coming from a specific host. > > I am not sure if I am using this correctly. > > My HDP system is: my.system.com, > running http://my.system.com:9995 - in zeppelin > > I've updated the advanced zeppelin-config with : > zeppelin.server.allowed.origins=https://my.system.com > > ---------- > After restarting - to test: > > Use curl from my machine: mydesktop.system.com > > 1. Get a JSESSIONID: > curl -i -X POST "http://my.system.com:9995/api/login?password= > <passwd>&userName=<uid>" > -> retrieve JSESSIONID from cookie. > > 2. Try a query against api/notebook. (I can get at the security > curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; > HttpOnly' http://my.system.com:9995/api/notebook > -> This works ... should it? > > 3. Attempt to add random headers... > curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; > HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com' > -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com > ' http://my.system.com:9995/api/notebook > > -> This still works... should it ? > > The verbose output shows that Host, Referer and Origin has been passed, > yet I am not seeing any sort of blocking... > > > Host: bogus1.referer.com > > User-Agent: curl/7.54.0 > > Accept: */* > > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly > > Origin: bogus2.referer.com > > Connection: keep-alive > > Referer: http://bogus3.referer.com > > < HTTP/1.1 200 OK > < Date: Monday, June 25, 2018 3:16:32 PM PDT > < Access-Control-Allow-Origin: > < Access-Control-Allow-Credentials: true > < Access-Control-Allow-Headers: authorization,Content-Type > < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE > < X-FRAME-OPTIONS: SAMEORIGIN > < X-XSS-Protection: 1 > < Content-Type: application/json > < Date: Mon, 25 Jun 2018 22:16:32 GMT > < Content-Length: 75 > < Server: Jetty(9.2.15.v20160210) > < > > > Thoughts? > > Ying > > -- Thankx and Regards, Prabhjyot Singh
