Vipin Rathor created RANGER-2306: ------------------------------------ Summary: Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger Key: RANGER-2306 URL: https://issues.apache.org/jira/browse/RANGER-2306 Project: Ranger Issue Type: Bug Components: plugins Affects Versions: 1.2.0 Reporter: Vipin Rathor
*Problem Description:* IP-based Knox policies doesn't work when Knox is behind a Load Balancer. Because currently Ranger Knox plugin doesn't accept & pass on the "X-Forwarded-for" header to Ranger policy engine. *Impact:* In an environment where Knox is running behind a Load Balancer and Knox has a Ranger policy to allow/deny access to Hadoop services based on client IP addresses, this won't work as expected due to this bug. *Expected Behavior:* 1. Knox plugin should process "X-Forwarded-for" header received from Load Balancer and pass it on to policy engine in the form of 'RangerAccessRequestImpl.forwardedAdresses'. *Steps to reproduce:* 1. Install & configure Knox behind a Load Balancer 2. Enable Ranger Knox plugin 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>" 4. Define a Knox policy to allow access to user from designated client IP(s) 5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer for designated client host. *Workaround:* None -- This message was sent by Atlassian JIRA (v7.6.3#76005)