[jira] [Created] (ZEPPELIN-4724) Zeppelin Documentation link in top menubar is broken for 0.9.0-SNAPSHOT
Krishna Pandey created ZEPPELIN-4724: Summary: Zeppelin Documentation link in top menubar is broken for 0.9.0-SNAPSHOT Key: ZEPPELIN-4724 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4724 Project: Zeppelin Issue Type: Bug Components: documentation Affects Versions: 0.9.0 Reporter: Krishna Pandey Fix For: 0.9.0 The top menu bar for [http://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/index.html] which consists of documentation related to "Quick Start", "Usage", "Setup", etc. has broken links. While the links displayed as part of the web page Table of Contents are updated with correct URLs e.g. for "HTTP Security Headers" it is http://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/setup/security/http_security_headers.html, but drop-down menu link shows http://zeppelin.apache.org/setup/security/http_security_headers.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[GitHub] [zeppelin] krishna-pandey commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default
krishna-pandey commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default URL: https://github.com/apache/zeppelin/pull/3716#issuecomment-609068083 @alexott made the suggested changes, please review. Thanks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] alexott commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default
alexott commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default URL: https://github.com/apache/zeppelin/pull/3716#issuecomment-609057771 Great! Thank you! Can you add the link to build to the description of PR? And please update docs... This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] asfgit closed pull request #3713: [ZEPPELIN-4718] Fix Regression HDFS Notebook Storage
asfgit closed pull request #3713: [ZEPPELIN-4718] Fix Regression HDFS Notebook Storage URL: https://github.com/apache/zeppelin/pull/3713 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] asfgit closed pull request #3714: [ZEPPELIN-4719] Use new travis semantic
asfgit closed pull request #3714: [ZEPPELIN-4719] Use new travis semantic URL: https://github.com/apache/zeppelin/pull/3714 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] krishna-pandey commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default
krishna-pandey commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default URL: https://github.com/apache/zeppelin/pull/3716#issuecomment-609041530 @alexott It's happening as we speak at https://travis-ci.org/github/krishna-pandey/zeppelin/builds/670946421, also I will verify locally. Thanks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] asfgit closed pull request #3712: [ZEPPELIN-4721]Fix the ConcurrentModificationException occured when connect presto via JDBC generic interpreter
asfgit closed pull request #3712: [ZEPPELIN-4721]Fix the ConcurrentModificationException occured when connect presto via JDBC generic interpreter URL: https://github.com/apache/zeppelin/pull/3712 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] krishna-pandey commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default
krishna-pandey commented on issue #3716: [ZEPPELIN-4723] Enable HTTP security headers by default URL: https://github.com/apache/zeppelin/pull/3716#issuecomment-609034565 @prabhjyotsingh @jongyoul @Leemoonsoo @zjffdu Can you please help review this? Thanks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [zeppelin] krishna-pandey opened a new pull request #3716: [ZEPPELIN-4723] Enable HTTP security headers by default
krishna-pandey opened a new pull request #3716: [ZEPPELIN-4723] Enable HTTP security headers by default URL: https://github.com/apache/zeppelin/pull/3716 ### What is this PR for? Zeppelin when installed with default configuration options doesn't enable the common web application security headers, e.g. zeppelin.server.xframe.options, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options. This leaves the Zeppelin installation vulnerable. ### What type of PR is it? Improvement ### Todos * Discuss HSTS header config (zeppelin.server.strict.transport) which if enabled requires TLS to be configured for Zeppelin to work ### What is the Jira issue? * [ZEPPELIN-4723](https://issues.apache.org/jira/browse/ZEPPELIN-4723) ### How should this be tested? * Below headers can be verified with received HTTP response Server: X-Content-Type-Options: nosniff X-FRAME-OPTIONS: SAMEORIGIN X-XSS-Protection: 1; mode=block ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Created] (ZEPPELIN-4723) Configure Security Features in Zeppelin to be enabled by default
Krishna Pandey created ZEPPELIN-4723: Summary: Configure Security Features in Zeppelin to be enabled by default Key: ZEPPELIN-4723 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4723 Project: Zeppelin Issue Type: Improvement Components: zeppelin-web Affects Versions: 0.8.2 Reporter: Krishna Pandey Assignee: Krishna Pandey Fix For: 0.9.0 Zeppelin being a notebook has gained popularity among Data Scientists who are not necessarily also information security savvy. They usually deploy Zeppelin with default configuration options which doesn't enable the common web application security headers by default, e.g. zeppelin.server.xframe.options, zeppelin.server.strict.transport, zeppelin.server.xxss.protection, zeppelin.server.xcontent.type.options, zeppelin.server.xcontent.type.options documented [here|[https://zeppelin.apache.org/docs/0.8.2/setup/security/http_security_headers.html]]. This leaves the Zeppelin installation vulnerable. In recent times, Zeppelin installations are taking flak over these missing security headers from Internal Security teams and External Auditors who are not aware of these features being already available. Also, as software community is moving towards privacy-by-design and compliance-as-code, expectation of secure by design doesn't look out of the place. This Jira's intention is to enable all above HTTP response headers by default. -- This message was sent by Atlassian Jira (v8.3.4#803005)
