Hello - So, what you are saying is that - this is something that is protected over web socket, but not thru the HTTP endpoint? curl just exercises an http call.....
Ying On Mon, Jun 25, 2018 at 9:19 PM, Prabhjyot Singh <prabhjyotsi...@gmail.com> wrote: > Hi Ying, > > This config "zeppelin.server.allowed.origins" is to do with setting CORS > header, which means this will continue to work over curl, but will get > blocked over any browsers. I've attached a screenshot for reference. > > > [image: Screenshot from 2018-06-26 09-48-23.png] > > > Let me know if this helps. > > On Tue, 26 Jun 2018 at 04:07, Ying Chen <ying.in...@gmail.com> wrote: > >> Hello - >> >> I am in the process of validating some security settings for Zeppelin >> (0.7.3 w/ HDP 2.6.3) >> >> According to: https://zeppelin.apache.org/docs/0.7.0/install/ >> configuration.html >> zeppelin.server.allowed.origins can be set to only allow requests that >> is coming from a specific host. >> >> I am not sure if I am using this correctly. >> >> My HDP system is: my.system.com, >> running http://my.system.com:9995 - in zeppelin >> >> I've updated the advanced zeppelin-config with : >> zeppelin.server.allowed.origins=https://my.system.com >> >> ---------- >> After restarting - to test: >> >> Use curl from my machine: mydesktop.system.com >> >> 1. Get a JSESSIONID: >> curl -i -X POST "http://my.system.com:9995/api/login?password=<passwd>& >> userName=<uid>" >> -> retrieve JSESSIONID from cookie. >> >> 2. Try a query against api/notebook. (I can get at the security >> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; >> HttpOnly' http://my.system.com:9995/api/notebook >> -> This works ... should it? >> >> 3. Attempt to add random headers... >> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; >> HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com' >> -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com' >> http://my.system.com:9995/api/notebook >> >> -> This still works... should it ? >> >> The verbose output shows that Host, Referer and Origin has been passed, >> yet I am not seeing any sort of blocking... >> >> > Host: bogus1.referer.com >> > User-Agent: curl/7.54.0 >> > Accept: */* >> > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly >> > Origin: bogus2.referer.com >> > Connection: keep-alive >> > Referer: http://bogus3.referer.com >> >> < HTTP/1.1 200 OK >> < Date: Monday, June 25, 2018 3:16:32 PM PDT >> < Access-Control-Allow-Origin: >> < Access-Control-Allow-Credentials: true >> < Access-Control-Allow-Headers: authorization,Content-Type >> < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE >> < X-FRAME-OPTIONS: SAMEORIGIN >> < X-XSS-Protection: 1 >> < Content-Type: application/json >> < Date: Mon, 25 Jun 2018 22:16:32 GMT >> < Content-Length: 75 >> < Server: Jetty(9.2.15.v20160210) >> < >> >> >> Thoughts? >> >> Ying >> >> > > -- > Thankx and Regards, > > Prabhjyot Singh >