[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui
[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16455303#comment-16455303 ] Hudson commented on HDFS-12693: --- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14070 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14070/]) HDFS-12693. Ozone: Enable XFrame options for KSM/SCM web ui. Contributed (omalley: rev 731a69faa1d2454fbcb70262fd333d508042a0c7) * (edit) hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/OzoneHttpServer.java > Ozone: Enable XFrame options for KSM/SCM web ui > --- > > Key: HDFS-12693 > URL: https://issues.apache.org/jira/browse/HDFS-12693 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone >Affects Versions: HDFS-7240 >Reporter: Elek, Marton >Assignee: Elek, Marton >Priority: Major > Fix For: HDFS-7240 > > Attachments: HDFS-12693-HDFS-7240.001.patch > > > According to the discussion about security checklist on dev list I started to > check the security features of the existing HttpServer2 and found that by > default the XFrame option headers are disabled. This patch enables it by > default for SCM/KSM server similar to the Namenode/Datanode webui. > (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel > form, I think it's a good practice to enable it by default.) > Test: > Without the patch (clean build, SCM ui): > {code} > curl -v localhost:9876/jmx -o /dev/null > >* TCP_NODELAY set > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:54:43 GMT > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > With the patch: > {code} > curl -v localhost:9876/jmx -o /dev/null > > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:55:07 GMT > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < X-FRAME-OPTIONS: SAMEORIGIN > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui
[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16451090#comment-16451090 ] Hudson commented on HDFS-12693: --- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14057 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14057/]) HDFS-12693. Ozone: Enable XFrame options for KSM/SCM web ui. Contributed (aengineer: rev 27f412fad129b1df7bcb68e9153d33033175d936) * (edit) hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/OzoneHttpServer.java > Ozone: Enable XFrame options for KSM/SCM web ui > --- > > Key: HDFS-12693 > URL: https://issues.apache.org/jira/browse/HDFS-12693 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone >Affects Versions: HDFS-7240 >Reporter: Elek, Marton >Assignee: Elek, Marton >Priority: Major > Fix For: HDFS-7240 > > Attachments: HDFS-12693-HDFS-7240.001.patch > > > According to the discussion about security checklist on dev list I started to > check the security features of the existing HttpServer2 and found that by > default the XFrame option headers are disabled. This patch enables it by > default for SCM/KSM server similar to the Namenode/Datanode webui. > (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel > form, I think it's a good practice to enable it by default.) > Test: > Without the patch (clean build, SCM ui): > {code} > curl -v localhost:9876/jmx -o /dev/null > >* TCP_NODELAY set > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:54:43 GMT > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > With the patch: > {code} > curl -v localhost:9876/jmx -o /dev/null > > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:55:07 GMT > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < X-FRAME-OPTIONS: SAMEORIGIN > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui
[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220802#comment-16220802 ] Anu Engineer commented on HDFS-12693: - +1, I will commit this shortly. > Ozone: Enable XFrame options for KSM/SCM web ui > --- > > Key: HDFS-12693 > URL: https://issues.apache.org/jira/browse/HDFS-12693 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone >Affects Versions: HDFS-7240 >Reporter: Elek, Marton >Assignee: Elek, Marton > Attachments: HDFS-12693-HDFS-7240.001.patch > > > According to the discussion about security checklist on dev list I started to > check the security features of the existing HttpServer2 and found that by > default the XFrame option headers are disabled. This patch enables it by > default for SCM/KSM server similar to the Namenode/Datanode webui. > (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel > form, I think it's a good practice to enable it by default.) > Test: > Without the patch (clean build, SCM ui): > {code} > curl -v localhost:9876/jmx -o /dev/null > >* TCP_NODELAY set > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:54:43 GMT > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > With the patch: > {code} > curl -v localhost:9876/jmx -o /dev/null > > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:55:07 GMT > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < X-FRAME-OPTIONS: SAMEORIGIN > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui
[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216991#comment-16216991 ] Elek, Marton commented on HDFS-12693: - yes, it could be useful when a cluster management tool (like ambari or cloudera manager) would like to include the webui as an iframe. I am not so familiar with the management tools, so don't know if they use iframe now, but with the configuration it is possible to set "X-Frame-Options: ALLOW-FROM https://management.internal/"; > Ozone: Enable XFrame options for KSM/SCM web ui > --- > > Key: HDFS-12693 > URL: https://issues.apache.org/jira/browse/HDFS-12693 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone >Affects Versions: HDFS-7240 >Reporter: Elek, Marton >Assignee: Elek, Marton > Attachments: HDFS-12693-HDFS-7240.001.patch > > > According to the discussion about security checklist on dev list I started to > check the security features of the existing HttpServer2 and found that by > default the XFrame option headers are disabled. This patch enables it by > default for SCM/KSM server similar to the Namenode/Datanode webui. > (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel > form, I think it's a good practice to enable it by default.) > Test: > Without the patch (clean build, SCM ui): > {code} > curl -v localhost:9876/jmx -o /dev/null > >* TCP_NODELAY set > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:54:43 GMT > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > With the patch: > {code} > curl -v localhost:9876/jmx -o /dev/null > > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:55:07 GMT > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < X-FRAME-OPTIONS: SAMEORIGIN > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui
[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216103#comment-16216103 ] Anu Engineer commented on HDFS-12693: - quick question: In the original case X-Frames was an option since we had to worry about the backward compact. Do we have a case where people would not want X-Frame? That is, is there a case other than backward compatibility where we do not want X-Frame? > Ozone: Enable XFrame options for KSM/SCM web ui > --- > > Key: HDFS-12693 > URL: https://issues.apache.org/jira/browse/HDFS-12693 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone >Affects Versions: HDFS-7240 >Reporter: Elek, Marton >Assignee: Elek, Marton > Attachments: HDFS-12693-HDFS-7240.001.patch > > > According to the discussion about security checklist on dev list I started to > check the security features of the existing HttpServer2 and found that by > default the XFrame option headers are disabled. This patch enables it by > default for SCM/KSM server similar to the Namenode/Datanode webui. > (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel > form, I think it's a good practice to enable it by default.) > Test: > Without the patch (clean build, SCM ui): > {code} > curl -v localhost:9876/jmx -o /dev/null > >* TCP_NODELAY set > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:54:43 GMT > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > With the patch: > {code} > curl -v localhost:9876/jmx -o /dev/null > > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:55:07 GMT > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < X-FRAME-OPTIONS: SAMEORIGIN > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui
[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16214125#comment-16214125 ] Hadoop QA commented on HDFS-12693: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 16m 42s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | || || || || {color:brown} HDFS-7240 Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 19m 59s{color} | {color:green} HDFS-7240 passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 25s{color} | {color:green} HDFS-7240 passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 55s{color} | {color:green} HDFS-7240 passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 41s{color} | {color:green} HDFS-7240 passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 14s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 19s{color} | {color:green} HDFS-7240 passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 27s{color} | {color:green} HDFS-7240 passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 1m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 51s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 24s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 21s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:red}-1{color} | {color:red} unit {color} | {color:red} 90m 43s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 45s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}175m 41s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.TestReadStripedFileWithMissingBlocks | | | hadoop.hdfs.TestDFSStripedOutputStreamWithFailure130 | | | hadoop.hdfs.server.datanode.TestDataNodeVolumeFailure | | Timed out junit tests | org.apache.hadoop.hdfs.server.datanode.TestDataNodeVolumeFailureReporting | | | org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.TestScrLazyPersistFiles | | | org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.TestLazyPersistFiles | | | org.apache.hadoop.hdfs.server.datanode.fsdataset.impl.TestLazyPersistReplicaPlacement | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:71bbb86 | | JIRA Issue | HDFS-12693 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12893430/HDFS-12693-HDFS-7240.001.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 9ff1c2750d28 3.13.0-129-generic #178-Ubuntu SMP Fri Aug 11 12:48:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git re