IMPALA-7182: [DOCS] Insecure clusters with public IPs not allowed Change-Id: I9db28d42fccd9711635c6aee66f2aafc758d58d0 Reviewed-on: http://gerrit.cloudera.org:8080/10751 Reviewed-by: Alex Rodoni <[email protected]> Reviewed-by: Michael Ho <[email protected]> Tested-by: Impala Public Jenkins <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/cfe25043 Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/cfe25043 Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/cfe25043 Branch: refs/heads/master Commit: cfe25043a8275943cc88b7aa26a4d1ef480e0b11 Parents: 6fb1cc6 Author: Alex Rodoni <[email protected]> Authored: Mon Jun 18 14:44:08 2018 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Tue Jun 19 00:06:25 2018 +0000 ---------------------------------------------------------------------- docs/topics/impala_known_issues.xml | 36 +++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/cfe25043/docs/topics/impala_known_issues.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_known_issues.xml b/docs/topics/impala_known_issues.xml index 66574a4..21a99fe 100644 --- a/docs/topics/impala_known_issues.xml +++ b/docs/topics/impala_known_issues.xml @@ -301,7 +301,41 @@ under the License. </concept> -<!--<concept id="known_issues_security"><title id="ki_security">Impala Known Issues: Security</title><conbody><p> These issues relate to security features, such as Kerberos authentication, Sentry authorization, encryption, auditing, and redaction. </p></conbody></concept>--> +<concept id="known_issues_security"> + <title id="ki_security">Impala Known Issues: Security</title> + <conbody> + <p> + These issues are related to security features, such as Kerberos + authentication, Sentry authorization, encryption, auditing, and + redaction. + </p> + </conbody> + + <concept id="id_p1n_tbx_22b"> + <title>Impala does not allow the use of insecure clusters with public IPs</title> + + <conbody> + <p> + Starting in <keyword keyref="impala212_full"/>, Impala, by default, + will only allow unencrypted or unauthenticated connections from + trusted subnets: <codeph>127.0.0.0/8</codeph>, + <codeph>10.0.0.0/8</codeph>, <codeph>172.16.0.0/12</codeph>, + <codeph>192.168.0.0/16</codeph>, <codeph>169.254.0.0/16</codeph>. + Unencrypted or unauthenticated connections from publicly routable IPs + will be rejected. + </p> + + <p> + The trusted subnets can be configured using the + <codeph>--trusted_subnets</codeph> flag. Set it to + '<codeph>0.0.0.0/0</codeph>' to allow unauthenticated connections + from all remote IP addresses. However, if network access is not + otherwise restricted by a firewall, malicious users may be able to + gain unauthorized access. + </p> + </conbody> + </concept> +</concept> <concept id="known_issues_resources">
