[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers
[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17066026#comment-17066026
]
Dmytro Kondriukov commented on DRILL-7648:
--
tested on
apache-drill-1.18.0-SNAPSHOT commit 3b3c4af39fdc26f255cc17d66c55eb7565552a7d
fixed
security headers are added
> Scrypt j_security_check works without security headers
> ---
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
>Affects Versions: 1.17.0
>Reporter: Dmytro Kondriukov
>Assignee: Igor Guzenko
>Priority: Major
> Labels: ready-to-commit
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers
[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17065453#comment-17065453
]
ASF GitHub Bot commented on DRILL-7648:
---
arina-ielchiieva commented on pull request #2037: DRILL-7648: Scrypt
j_security_check works without security headers
URL: https://github.com/apache/drill/pull/2037
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Scrypt j_security_check works without security headers
> ---
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
>Affects Versions: 1.17.0
>Reporter: Dmytro Kondriukov
>Assignee: Igor Guzenko
>Priority: Major
> Labels: ready-to-commit
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers
[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17064895#comment-17064895
]
ASF GitHub Bot commented on DRILL-7648:
---
ihuzenko commented on issue #2037: DRILL-7648: Scrypt j_security_check works
without security headers
URL: https://github.com/apache/drill/pull/2037#issuecomment-602691335
Thanks @vvysotskyi for suggestions, looks much cleaner now. Please take a
look.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Scrypt j_security_check works without security headers
> ---
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
>Affects Versions: 1.17.0
>Reporter: Dmytro Kondriukov
>Assignee: Igor Guzenko
>Priority: Major
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers
[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17064840#comment-17064840
]
ASF GitHub Bot commented on DRILL-7648:
---
vvysotskyi commented on pull request #2037: DRILL-7648: Scrypt j_security_check
works without security headers
URL: https://github.com/apache/drill/pull/2037#discussion_r396491824
##
File path:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
##
@@ -219,9 +220,11 @@ private ServletContextHandler
createServletContextHandler(final boolean authEnab
servletContextHandler.addServlet(dynamicHolder, "/dynamic/*");
}
+final Map responseHeaders =
ResponseHeadersSettingFilter.retrieveResponseHeaders(config);
if (authEnabled) {
//DrillSecurityHandler is used to support SPNEGO and FORM authentication
together
- servletContextHandler.setSecurityHandler(new
DrillHttpSecurityHandlerProvider(config, workManager.getContext()));
+ servletContextHandler.setSecurityHandler(new
DrillHttpSecurityHandlerProvider(config, workManager.getContext(),
+ (req, resp) -> responseHeaders.forEach(resp::setHeader)));
Review comment:
Looks like the response is used here only. Is it possible to use and pass
`Consumer` instead of `BiConsumer`?
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Scrypt j_security_check works without security headers
> ---
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
>Affects Versions: 1.17.0
>Reporter: Dmytro Kondriukov
>Assignee: Igor Guzenko
>Priority: Major
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers
[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17064839#comment-17064839
]
ASF GitHub Bot commented on DRILL-7648:
---
vvysotskyi commented on pull request #2037: DRILL-7648: Scrypt j_security_check
works without security headers
URL: https://github.com/apache/drill/pull/2037#discussion_r396494612
##
File path:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/DrillHttpSecurityHandlerProvider.java
##
@@ -54,11 +55,14 @@
private final Map
securityHandlers =
CaseInsensitiveMap.newHashMapWithExpectedSize(2);
+ private final BiConsumer
preHandleCallback;
+
@SuppressWarnings("unchecked")
- public DrillHttpSecurityHandlerProvider(DrillConfig config, DrillbitContext
drillContext)
+ public DrillHttpSecurityHandlerProvider(DrillConfig config, DrillbitContext
drillContext,
+ BiConsumer preHandleCallback)
Review comment:
Passing `BiConsumer` looks slightly complicated. Is it possible either to
pass map with response headers or obtain headers from `DrillConfig` again and
use it where needed?
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Scrypt j_security_check works without security headers
> ---
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
>Affects Versions: 1.17.0
>Reporter: Dmytro Kondriukov
>Assignee: Igor Guzenko
>Priority: Major
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers
[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17064679#comment-17064679
]
ASF GitHub Bot commented on DRILL-7648:
---
ihuzenko commented on pull request #2037: DRILL-7648: Scrypt j_security_check
works without security headers
URL: https://github.com/apache/drill/pull/2037
# [DRILL-7648](https://issues.apache.org/jira/browse/DRILL-7648): Scrypt
j_security_check works without security headers
## Description
1. Added callback for setting headers in DrillHttpSecurityHandlerProvider,
since ResponseHeadersSettingFilter doesn't cover this flow.
## Documentation
No need to document the bugfix.
## Testing
Tested manually since the security configuration for using form-based
authentication is hard to do in unit tests.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Scrypt j_security_check works without security headers
> ---
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
>Affects Versions: 1.17.0
>Reporter: Dmytro Kondriukov
>Assignee: Igor Guzenko
>Priority: Major
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
