Vipin Rathor created RANGER-2306:
------------------------------------
Summary: Knox Plugin doesn't pass X-Forwarded-for remote address
to Ranger
Key: RANGER-2306
URL: https://issues.apache.org/jira/browse/RANGER-2306
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 1.2.0
Reporter: Vipin Rathor
*Problem Description:*
IP-based Knox policies doesn't work when Knox is behind a Load Balancer.
Because currently Ranger Knox plugin doesn't accept & pass on the
"X-Forwarded-for" header to Ranger policy engine.
*Impact:*
In an environment where Knox is running behind a Load Balancer and Knox has a
Ranger policy to allow/deny access to Hadoop services based on client IP
addresses, this won't work as expected due to this bug.
*Expected Behavior:*
1. Knox plugin should process "X-Forwarded-for" header received from Load
Balancer and pass it on to policy engine in the form of
'RangerAccessRequestImpl.forwardedAdresses'.
*Steps to reproduce:*
1. Install & configure Knox behind a Load Balancer
2. Enable Ranger Knox plugin
3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and
"ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>"
4. Define a Knox policy to allow access to user from designated client IP(s)
5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer
for designated client host.
*Workaround:*
None
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
