Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.17.0
-
None
Description
Preconditions:
drill-override.conf
drill.exec: {
cluster-id: "drillbits1",
zk.connect: "localhost:5181"
impersonation: {
enabled: true,
max_chained_user_hops: 3
},
security: {
auth.mechanisms : ["PLAIN"],
},
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam4j",
pam_profiles: [ "sudo", "login" ]
}
http: {
ssl_enabled: true,.
jetty.server.response.headers: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Strict-Transport-Security": "max-age=31536000;includeSubDomains",
"Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
}
}
}
Steps:
1. Perform login to drillbit webUI
2. Check in browser console in tab "network" headers of resource https://node1.cluster.com:8047/j_security_check
3. Check section "response headers"
Expected result: security headers are present
Actual result: security headers are absent
4. Check section "Form Data"
Expected result: parameter "j_password" content is hidden
Actual result: parameter "j_password" content is visible
Attachments
Issue Links
- links to