[GitHub] zeppelin issue #2482: [ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppe...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2482
  
@felixcheung Thanks for the review. Fixed the value.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2492
  
@Leemoonsoo, @felixcheung, @jongyoul, @prabhjyotsingh Please help review 
this.

Note: Chrome Browser seems to be ignoring "X-XSS-Protection" header when 
value is set to 1. Ideally, it should be set to "X-XSS-Protection:1; 
mode=block". Difference being when later value is set, the browser will prevent 
rendering of the page if an attack is detected rather than sanitizing the page 
as in previous case.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2492
  
Above commit also took care of below test case failures.


https://s3.amazonaws.com/archive.travis-ci.org/jobs/253571796/log.txt?X-Amz-Expires=30=20170717T114927Z=AWS4-HMAC-SHA256=AKIAJRYRXRSVGNKPKO5A/20170717/us-east-1/s3/aws4_request=host=c08313e7f165e576846f035b0dee0975d4fc5fb414a0fa291e759b1993dd9b7b


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #2482: [ZEPPELIN-2765] Configurable X-FRAME-OPTIONS fo...

[krishna-pandey]

GitHub user krishna-pandey opened a pull request:

https://github.com/apache/zeppelin/pull/2482

[ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppelin

### What is this PR for?
The X-Frame-Options HTTP response header can be used to indicate whether or 
not a browser should be allowed to render a page in a  or . 
Sites can use this to avoid Clickjacking attacks, by ensuring that their 
content is not embedded into other sites. Set the X-Frame-Options header for 
all responses containing HTML content. The possible values are "DENY", 
"SAMEORIGIN", or "ALLOW-FROM uri"

### What type of PR is it?
[Bug Fix | Improvement ]

### What is the Jira issue?
* [ZEPPELIN-2765](https://issues.apache.org/jira/browse/ZEPPELIN-2765)

### How should this be tested?
The application (Zeppelin) loads in iframe. Put below code in a html file 
and open in browser:



You can merge this pull request into a Git repository by running:

$ git pull https://github.com/krishna-pandey/zeppelin ZEPPELIN-2765

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/2482.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2482


commit 518f1a4a213614d038b4fd554614afe8ec2c8c20
Author: krishna-pandey <krish.pande...@gmail.com>
Date:   2017-07-11T12:09:37Z

Configurable X-FRAME-OPTIONS for Zeppelin




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2482: [ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppe...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2482
  
@Leemoonsoo, @felixcheung, @jongyoul, @prabhjyotsingh Please help review 
this.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Broken link on Apache Zeppelin website

[Krishna Pandey]

Hi All,

Whenever we raise a Pull Request for Apache Zeppelin, we are presented with
a helping Questionnaire. One such question is below which points to
Contribution guide.

### What is this PR for?
A few sentences describing the overall goals of the pull request's commits.
First time? Check out the contributing guide - https://zeppelin.apache.org/
contribution/contributions.html


When you land on the webpage following the above link and click Community
drop-down list on top menu and then click "Contributors" link, it throws a
HTTP 404 error "The requested URL /contribution/community.html was not
found on this server."

Thanks,
Krishna Pandey

[GitHub] zeppelin pull request #2492: [ZEPPELIN-2775] Strict-Transport-Security and X...

[krishna-pandey]

GitHub user krishna-pandey opened a pull request:

https://github.com/apache/zeppelin/pull/2492

[ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Protection Headers

### What is this PR for?
The HTTP Strict-Transport-Security response header (often abbreviated as 
HSTS) is a security feature that lets a web site tell browsers that it should 
only be communicated with using HTTPS, instead of using HTTP.
Note: The Strict-Transport-Security header is ignored by the browser when 
your site is accessed using HTTP; this is because an attacker may intercept 
HTTP connections and inject the header or remove it. When your site is accessed 
over HTTPS with no certificate errors, the browser knows your site is HTTPS 
capable and will honor the Strict-Transport-Security header.

The HTTP X-XSS-Protection response header is a feature of Internet 
Explorer, Chrome and Safari that stops pages from loading when they detect 
reflected cross-site scripting (XSS) attacks.

### What type of PR is it?
[Bug Fix | Improvement ]

### What is the Jira issue?
* [ZEPPELIN-2775](https://issues.apache.org/jira/browse/ZEPPELIN-2775)

### How should this be tested?
Make a curl call to Zeppelin? Go to Chrome Browser and select "More Tools" 
-> "Developer Tools" from the right-side menu. Under Network Section, select 
any request and check for "Response Headers". You should see below headers 
along with existing ones.

> strict-transport-security:max-age=631138519
> x-xss-protection:1; mode=block

https://user-images.githubusercontent.com/6433184/28217231-16ce6cee-68d2-11e7-91aa-77ad083612c7.png;>


### Questions:
* Does this needs documentation?


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/krishna-pandey/zeppelin ZEPPELIN-2775

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/2492.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2492


commit 468231cc6577b2acf8fbd592177fee9ad1b067b4
Author: krishna-pandey <krish.pande...@gmail.com>
Date:   2017-07-14T11:34:36Z

Added configurable Strict-Transport-Security and X-XSS-Protection Headers




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2494: Broken link on Apache Zeppelin website

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2494
  
I have also logged this issue as 
[ZEPPELIN-2783](https://issues.apache.org/jira/browse/ZEPPELIN-2783)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2492
  
@felixcheung Made the change as suggested. 
Also provided documentation for all HTTP Security Headers support we added 
recently (tested it locally). Let me know if I am still missing anything. 
Thanks for the review. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2492
  
@felixcheung Updated the documentation as per review. Let me know if any 
other changes are required. Thanks.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #2293: [ZEPPELIN-2461] Masking Jetty Server version wi...

[krishna-pandey]

GitHub user krishna-pandey opened a pull request:

https://github.com/apache/zeppelin/pull/2293

[ZEPPELIN-2461] Masking Jetty Server version with User-configurable 
parameter

### What is this PR for?
Security conscious organisations does not want to reveal the Application 
Server name and version to prevent Script-kiddies from finding the information 
easily when fingerprinting the Application. The exact version number can tell 
an Attacker if the current Application Server is patched for or vulnerable to 
certain publicly known CVE associated to it.

### What type of PR is it?
[Improvement | Feature]

### What is the Jira issue?
* [ZEPPELIN-2461](https://issues.apache.org/jira/browse/ZEPPELIN-2461)

### How should this be tested?
Providing a value in zeppelin-site.xml will replace the actual Jetty server 
version found in HTTP Header with provided value. E.g. 
 - edit zeppelin-site.xml and add a property `zeppelin.server.jetty.name` 
and with value say `TOMCAT`
 - restart the server
 - open the app in browser then observe the Response Headers for the key 
"Server"  this should now reflect "TOMCAT"

### Screenshots (if appropriate)

### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/krishna-pandey/zeppelin ZEPPELIN-2461

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/2293.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2293


commit cf65c89d7fc61af5a7d045546b0b9175acc61af6
Author: krishna-pandey <krish.pande...@gmail.com>
Date:   2017-04-27T10:44:33Z

Set App Server name to config value




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #2293: [ZEPPELIN-2461] Masking Jetty Server version wi...

[krishna-pandey]

GitHub user krishna-pandey reopened a pull request:

https://github.com/apache/zeppelin/pull/2293

[ZEPPELIN-2461] Masking Jetty Server version with User-configurable 
parameter

### What is this PR for?
Security conscious organisations does not want to reveal the Application 
Server name and version to prevent Script-kiddies from finding the information 
easily when fingerprinting the Application. The exact version number can tell 
an Attacker if the current Application Server is patched for or vulnerable to 
certain publicly known CVE associated to it.

### What type of PR is it?
[Improvement | Feature]

### What is the Jira issue?
* [ZEPPELIN-2461](https://issues.apache.org/jira/browse/ZEPPELIN-2461)

### How should this be tested?
Providing a value in zeppelin-site.xml will replace the actual Jetty server 
version found in HTTP Header with provided value. E.g. 
 - edit zeppelin-site.xml and add a property `zeppelin.server.jetty.name` 
and with value say `TOMCAT`
 - restart the server
 - open the app in browser then observe the Response Headers for the key 
"Server"  this should now reflect "TOMCAT"

### Screenshots (if appropriate)

### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/krishna-pandey/zeppelin ZEPPELIN-2461

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/2293.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2293


commit b071f7ad05ae36a7734bb0906b6f6e61cb688647
Author: krishna-pandey <krish.pande...@gmail.com>
Date:   2017-04-27T10:44:33Z

Set App Server name to config value




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2293: [ZEPPELIN-2461] Masking Jetty Server version with User...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2293
  
@prabhjyotsingh Jenkins job is successful.
@Leemoonsoo, @felixcheung, @jongyoul Can you help review this?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #2293: [ZEPPELIN-2461] Masking Jetty Server version wi...

[krishna-pandey]

Github user krishna-pandey closed the pull request at:

https://github.com/apache/zeppelin/pull/2293


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2589: [DOC] 0.7.3 release note

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2589
  
LGTM except minor comment.


---

Re: [VOTE] Release Apache Zeppelin 0.7.3 (RC3)

[Krishna Pandey]

+1

Ran PySpark and Spark use-cases successfully.
Also verified PGP, SHA-512 and MD5 signatures for all binaries.

On Wed, Sep 13, 2017 at 6:52 PM, Mina Lee  wrote:

> I propose the following RC to be released for the Apache Zeppelin 0.7.3
> release.
>
> The commit id is 42c1810ef901eb8dba923385f3c305d7f7b11a70 which is
> corresponds to the tag v0.7.3-rc3:
> https://git-wip-us.apache.org/repos/asf?p=zeppelin.git;h=
> refs/tags/v0.7.3-rc3
>
> The release archives (tgz), signature, and checksums are here
> https://dist.apache.org/repos/dist/dev/zeppelin/zeppelin-0.7.3-rc3/
>
> The release candidate consists of the following source distribution archive
> zeppelin-0.7.3.tgz
>
> In addition, the following supplementary binary distributions are provided
> for user convenience at the same location
> zeppelin-0.7.3-bin-all.tgz
> zeppelin-0.7.3-bin-netinst.tgz
>
> The maven artifacts are here
> https://repository.apache.org/content/repositories/orgapachezeppelin-1046
>
> You can find the KEYS file here:
> https://dist.apache.org/repos/dist/release/zeppelin/KEYS
>
> Release notes available at
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?versi
> on=12341035=12316221
>
> Vote will be open for next 72 hours (close at 06:30 16/Sep PDT).
>
> [ ] +1 approve
> [ ] 0 no opinion
> [ ] -1 disapprove (and reason why)
>

[GitHub] zeppelin issue #2621: [Minor] Remove hardcoded key in zeppelinhub.

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2621
  
LGTM.
It seems we are using SecureRandom which does not require seed explicitly 
to initialise and hence hardcoded key can be removed, unless we intentionally 
wanted a deterministic output.


---

[GitHub] zeppelin issue #2564: [ZEPPELIN-2896] Replacing addHeader with setHeader met...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2564
  
@1ambda @Leemoonsoo Can you please help review this fix? As this is related 
to [ZEPPELIN-2775] which is getting shipped in 0.7.3, we may want to merge this 
now and get this as well into RC2.


---

[GitHub] zeppelin issue #2564: [ZEPPELIN-2896] Replacing addHeader with setHeader met...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2564
  
@felixcheung IMHO, it happens coz we first hit the root Context Path and 
Jetty redirecting it later to the landing/welcome page i.e. index.html. These 
headers are duplicated only for such requests and not every request. 


---

[GitHub] zeppelin issue #2550: [MINOR] Updated shiro.ini.template to include secure c...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2550
  
LGTM!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2550: [MINOR] Updated shiro.init.template to include secure ...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2550
  
@VipinRathor Can you please update the description from "Updated 
shiro.init.template ..." to "Updated shiro.ini.template ...". 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2550: [MINOR] Updated shiro.ini.template to include secure c...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2550
  
@VipinRathor Also, I think it will be a good idea to mention an one-liner 
in the shiro.ini.template "Enable 'cookie.secure = true' only when Zeppelin is 
running on HTTPS" or something similar. 

If enabled when Zeppelin is running on HTTP, Browser does not set the 
cookie and hence user session won't be maintained.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #2564: [ZEPPELIN-2896] Replacing addHeader with setHea...

[krishna-pandey]

GitHub user krishna-pandey opened a pull request:

https://github.com/apache/zeppelin/pull/2564

[ZEPPELIN-2896] Replacing addHeader with setHeader method in CorsFilter.java

### What is this PR for?
HTTP Response Headers were being added multiple times. Replacing addHeader 
method with setHeader overrides the Response Header value with new/existing 
value instead of adding another duplicate response Header.

### What type of PR is it?
[Bug Fix]

### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-2896

### How should this be tested?
Open the Zeppelin URL in Chrome Browser. Select "More Tools" -> "Developer 
Tools" from the right-side menu. Under Network Section, select the request with 
name "localhost" and check for "Response Headers". You should see response 
headers appearing only once.

![screen shot 2017-09-04 at 3 21 32 
pm](https://user-images.githubusercontent.com/6433184/30021436-feb7a6e4-9184-11e7-9161-f9f8350b7df2.png)


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/krishna-pandey/zeppelin ZEPPELIN-2896

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/2564.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2564


commit 89a3fdcd3994070f872ca755587a0f10f76c6917
Author: krishna-pandey <krish.pande...@gmail.com>
Date:   2017-09-04T09:39:59Z

replacing addHeader with setHeader




---

[GitHub] zeppelin issue #2564: [ZEPPELIN-2896] Replacing addHeader with setHeader met...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2564
  
@1ambda, @Leemoonsoo, @felixcheung, @jongyoul, @prabhjyotsingh Please help 
review this.


---

[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2492
  
@1ambda What's the value you are providing for 
"zeppelin.server.xxss.protection" property. It can take three possible values 
"0", "1" or "1; mode=block".


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2492
  
@1ambda I am able to reproduce the issue, seems like the value is getting 
repeated. It turns out that all Headers are being set multiple times. I have 
created an issue (ZEPPELIN-2896) for that.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Re: [DISCUSS] Release 0.7.3

[Krishna Pandey]

+1

On Tue, Aug 29, 2017 at 12:28 PM, Prabhjyot Singh  wrote:

> Hi,
>
> Since 0.7.2 release, we have resolved 22 issues and that includes most of
> the critical issues in 0.7.3 umbrella issue [1].
>
> With these bugs fixes, it makes Zeppelin moves towards stability, and I'd
> like to proceed release process for 0.7.3 at this point and provide stable
> release.
>
> Remaining issue can be resolved in 0.8.0 release (or 0.7.4 if another
> maintenance release is necessary).
>
> Shell we proceed to 0.7.3?
>
> Thanks and Regards,
> Prabhjyot Singh
>
> [1] https://issues.apache.org/jira/browse/ZEPPELIN-2864
>
> --
>
> Warm Regards,
>
> Prabhjyot Singh
>

[GitHub] zeppelin pull request #2564: [ZEPPELIN-2896] Replacing addHeader with setHea...

[krishna-pandey]

GitHub user krishna-pandey reopened a pull request:

https://github.com/apache/zeppelin/pull/2564

[ZEPPELIN-2896] Replacing addHeader with setHeader method in CorsFilter.java

### What is this PR for?
HTTP Response Headers were being added multiple times. Replacing addHeader 
method with setHeader overrides the Response Header value with new/existing 
value instead of adding another duplicate response Header.

### What type of PR is it?
[Bug Fix]

### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-2896

### How should this be tested?
Open the Zeppelin URL in Chrome Browser. Select "More Tools" -> "Developer 
Tools" from the right-side menu. Under Network Section, select the request with 
name "localhost" and check for "Response Headers". You should see response 
headers appearing only once.

![screen shot 2017-09-04 at 3 21 32 
pm](https://user-images.githubusercontent.com/6433184/30021436-feb7a6e4-9184-11e7-9161-f9f8350b7df2.png)


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/krishna-pandey/zeppelin ZEPPELIN-2896

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/2564.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2564






---

[GitHub] zeppelin pull request #2564: [ZEPPELIN-2896] Replacing addHeader with setHea...

[krishna-pandey]

Github user krishna-pandey closed the pull request at:

https://github.com/apache/zeppelin/pull/2564


---

[GitHub] zeppelin issue #2621: [Minor] Remove hardcoded key in zeppelinhub.

[krishna-pandey]

Github user krishna-pandey commented on the issue:

https://github.com/apache/zeppelin/pull/2621
  
We need to consider below while removing the key. Are we relying on any 
such behaviour by specifying the seed value?
"If two instances of Random are created with the same seed, and the same 
sequence of method calls is made for each, they will generate and return 
identical sequences of numbers."

Refer: http://docs.oracle.com/javase/8/docs/api/java/util/Random.html


---

Re: [ANNOUNCE] Apache Zeppelin 0.8.0 released

[Krishna Pandey]

Awesome. Lots of new feature made it's way in this release. Kudos to all
contributors.

Thanks,
Krishna Pandey

On Thu, Jun 28, 2018 at 2:10 PM Chaoran Yu  wrote:

> Thanks Jeff for preparing the release.
>
> But the Docker image for 0.8.0 is failing:
> https://hub.docker.com/r/apache/zeppelin/builds/
>
> Can someone upload the new image to apache's docker hub account?
>
> Thank you,
> Chaoran Yu
>
>
> On 2018/06/28 03:06:46, Jeff Zhang  wrote:
> > The Apache Zeppelin community is pleased to announce the availability of>
> > the 0.8.0 release.>
> >
> > Zeppelin is a collaborative data analytics and visualization tool for>
> > distributed, general-purpose data processing system such as Apache
> Spark,>
> > Apache Flink, etc.>
> >
> > This is another major release after the last minor release 0.7.3.>
> > The community put significant effort into improving Apache Zeppelin
> since>
> > the last release. 122 contributors fixed totally 602 issues. Lots of>
> > new features are introduced, such as inline configuration, ipython>
> > interpreter, yarn-cluster mode support , interpreter lifecycle manager>
> > and etc.>
> >
> > We encourage you to download the latest release>
> > fromhttp://zeppelin.apache.org/download.html>
> >
> > Release note is available>
> > athttp://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html>
> >
> > We welcome your help and feedback. For more information on the project
> and>
> > how to get involved, visit our website at http://zeppelin.apache.org/>
> >
> > Thank you all users and contributors who have helped to improve Apache>
> > Zeppelin.>
> >
> > Regards,>
> > The Apache Zeppelin community>
> >
>

[jira] [Created] (ZEPPELIN-2765) Configurable X-FRAME-OPTIONS for Zeppelin

[Krishna Pandey (JIRA)]

Krishna Pandey created ZEPPELIN-2765:


 Summary: Configurable X-FRAME-OPTIONS for Zeppelin
 Key: ZEPPELIN-2765
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2765
 Project: Zeppelin
  Issue Type: Improvement
  Components: zeppelin-server
Affects Versions: 0.7.0
Reporter: Krishna Pandey


*Information systems must not be susceptible to Cross-frame Scripting (XFS) 
attacks and clickjacking.*
Information systems must implement proper input validation and output encoding. 
With proper input validation and output encoding, information systems will not 
be susceptible to cross-frame scripting, either stored or reflected. A 
successful cross-frame scripting attack may redirect a user to a malicious 
third-party page.
*Technical Risk* : Without proper input validation and output encoding, 
information systems are susceptible to cross-frame scripting, which may result 
in unauthorized access or malicious attacks against the user.
*Corrective Action* : This issue can be fixed using the following methods1. 
Implementing the response header X-Frame- Options and set the value to 'Deny' 
or 'same origin'.2. Sending the proper browser response headers that instruct 
the browser to not allow framing from other domains . 

The application (Zeppelin) loads in iframe.
https://localhost:8443/#/; width="100%" height="600">

The X-Frame-Options HTTP response header can be used to indicate whether or not 
a browser should be allowed to render a page in a  or . Sites 
can use this to avoid Clickjacking attacks, by ensuring that their content is 
not embedded into other sites. Set the X-Frame-Options header for all responses 
containing HTML content. The possible values are "DENY", "SAMEORIGIN", or 
"ALLOW-FROM uri"

*X-Frame-Options Header Types*
There are three possible values for the X-Frame-Options header:

*DENY*, which prevents any domain from framing the content. The "DENY" setting 
is recommended unless a specific need has been identified for framing.
*SAMEORIGIN*, which only allows the current site to frame the content.
*ALLOW-FROM uri*, which permits the specified 'uri' to frame this page. (e.g., 
ALLOW-FROM http://www.example.com).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (ZEPPELIN-2783) Broken link at Apache Zeppelin website's Contributions page

[Krishna Pandey (JIRA)]

Krishna Pandey created ZEPPELIN-2783:


 Summary: Broken link at Apache Zeppelin website's Contributions 
page
 Key: ZEPPELIN-2783
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2783
 Project: Zeppelin
  Issue Type: Bug
  Components: documentation, Homepage
 Environment: Apache Zeppelin Website 
(https://zeppelin.apache.org/contribution/contributions.html)
Reporter: Krishna Pandey
Priority: Critical


Whenever we raise a Pull Request for Apache Zeppelin, we are presented with a 
helping Questionnaire. One such question is below which points to Contribution 
guide. 
{noformat}

### What is this PR for?
A few sentences describing the overall goals of the pull request's commits.
First time? Check out the contributing guide - 
https://zeppelin.apache.org/contribution/contributions.html

{noformat}

When you land on the webpage following the above link and click Community 
drop-down list on top menu and then click "Contributors" link, it throws error 
"The requested URL /contribution/community.html was not found on this server."




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (ZEPPELIN-2775) Add configurable Strict-Transport-Security and X-XSS-Protection Headers

[Krishna Pandey (JIRA)]

Krishna Pandey created ZEPPELIN-2775:


 Summary: Add configurable Strict-Transport-Security and 
X-XSS-Protection Headers
 Key: ZEPPELIN-2775
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2775
 Project: Zeppelin
  Issue Type: Bug
  Components: zeppelin-server
Affects Versions: 0.7.2
Reporter: Krishna Pandey


The *HTTP Strict-Transport-Security* response header (often abbreviated as 
HSTS) is a security feature that lets a web site tell browsers that it should 
only be communicated with using HTTPS, instead of using HTTP.

*Note:* The Strict-Transport-Security header is ignored by the browser when 
your site is accessed using HTTP; this is because an attacker may intercept 
HTTP connections and inject the header or remove it. When your site is accessed 
over HTTPS with no certificate errors, the browser knows your site is HTTPS 
capable and will honor the Strict-Transport-Security header.

*An example scenario*
You log into a free WiFi access point at an airport and start surfing the web, 
visiting your online banking service to check your balance and pay a couple of 
bills. Unfortunately, the access point you're using is actually a hacker's 
laptop, and they're intercepting your original HTTP request and redirecting you 
to a clone of your bank's site instead of the real thing. Now your private data 
is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you've accessed 
your bank's web site once using HTTPS, and the bank's web site uses Strict 
Transport Security, your browser will know to automatically use only HTTPS, 
which prevents hackers from performing this sort of man-in-the-middle attack.
*Syntax*
Strict-Transport-Security: max-age=
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload

Read more at 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

The HTTP *X-XSS-Protection* response header is a feature of Internet Explorer, 
Chrome and Safari that stops pages from loading when they detect reflected 
cross-site scripting (XSS) attacks.

*Syntax*
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=

Read more at 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (ZEPPELIN-2461) Masking Jetty Server version with User-configurable parameter

[Krishna Pandey (JIRA)]

Krishna Pandey created ZEPPELIN-2461:


 Summary: Masking Jetty Server version with User-configurable 
parameter
 Key: ZEPPELIN-2461
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2461
 Project: Zeppelin
  Issue Type: Bug
  Components: Core
Affects Versions: 0.7.0
 Environment: All
Reporter: Krishna Pandey
Priority: Minor


Security conscious organisations does not want to reveal the Application Server 
name and version to prevent Script-kiddies from finding the information easily 
when fingerprinting the Application. The exact version number can tell an 
Attacker if the current Application Server is patched for or vulnerable to 
certain publicly known CVE associated to it.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (ZEPPELIN-2896) HTTP Response headers are being set multiple times

[Krishna Pandey (JIRA)]

Krishna Pandey created ZEPPELIN-2896:


 Summary: HTTP Response headers are being set multiple times
 Key: ZEPPELIN-2896
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2896
 Project: Zeppelin
  Issue Type: Bug
  Components: zeppelin-server
Affects Versions: 0.7.2
Reporter: Krishna Pandey
Priority: Critical


HTTP Response Headers are being set multiple times. Refer screenshot attached.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (ZEPPELIN-4584) Default error page for Zeppelin masking Jetty Server version

[Krishna Pandey (Jira)]

Krishna Pandey created ZEPPELIN-4584:


 Summary: Default error page for Zeppelin masking Jetty Server 
version
 Key: ZEPPELIN-4584
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4584
 Project: Zeppelin
  Issue Type: Improvement
  Components: zeppelin-web
Affects Versions: 0.8.2
Reporter: Krishna Pandey
Assignee: Krishna Pandey
 Fix For: 0.8.3


When a non-existent notebook was accessed on the Browser, it shows the server 
name and version. As software development best practice, a generic error page 
should be displayed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (ZEPPELIN-4723) Configure Security Features in Zeppelin to be enabled by default

[Krishna Pandey (Jira)]

Krishna Pandey created ZEPPELIN-4723:


 Summary: Configure Security Features in Zeppelin to be enabled by 
default
 Key: ZEPPELIN-4723
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4723
 Project: Zeppelin
  Issue Type: Improvement
  Components: zeppelin-web
Affects Versions: 0.8.2
Reporter: Krishna Pandey
Assignee: Krishna Pandey
 Fix For: 0.9.0


Zeppelin being a notebook has gained popularity among Data Scientists who are 
not necessarily also information security savvy. They usually deploy Zeppelin 
with default configuration options which doesn't enable the common web 
application security headers by default, e.g. zeppelin.server.xframe.options, 
zeppelin.server.strict.transport, zeppelin.server.xxss.protection, 
zeppelin.server.xcontent.type.options, zeppelin.server.xcontent.type.options 
documented 
[here|[https://zeppelin.apache.org/docs/0.8.2/setup/security/http_security_headers.html]].
 This leaves the Zeppelin installation vulnerable.

In recent times, Zeppelin installations are taking flak over these missing 
security headers from Internal Security teams and External Auditors who are not 
aware of these features being already available. Also, as software community is 
moving towards privacy-by-design and compliance-as-code, expectation of secure 
by design doesn't look out of the place. This Jira's intention is to enable all 
above HTTP response headers by default.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (ZEPPELIN-4724) Zeppelin Documentation link in top menubar is broken for 0.9.0-SNAPSHOT

[Krishna Pandey (Jira)]

Krishna Pandey created ZEPPELIN-4724:


 Summary: Zeppelin Documentation link in top menubar is broken for 
0.9.0-SNAPSHOT
 Key: ZEPPELIN-4724
 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4724
 Project: Zeppelin
  Issue Type: Bug
  Components: documentation
Affects Versions: 0.9.0
Reporter: Krishna Pandey
 Fix For: 0.9.0


The top menu bar for 
[http://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/index.html] which consists of 
documentation related to "Quick Start", "Usage", "Setup", etc. has broken 
links. 

While the links displayed as part of the web page Table of Contents are updated 
with correct URLs e.g. for "HTTP Security Headers" it is 
http://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/setup/security/http_security_headers.html,
 but drop-down menu link shows 
http://zeppelin.apache.org/setup/security/http_security_headers.html 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)