[ https://issues.apache.org/jira/browse/RANGER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16719371#comment-16719371 ]
Ramesh Mani commented on RANGER-2306: ------------------------------------- commit id - master: [http://git-wip-us.apache.org/repos/asf/ranger/commit/3d282ccb] commit id - ranger-1.2 [http://git-wip-us.apache.org/repos/asf/ranger/commit/9916e1ba] > Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger > ----------------------------------------------------------------- > > Key: RANGER-2306 > URL: https://issues.apache.org/jira/browse/RANGER-2306 > Project: Ranger > Issue Type: Bug > Components: plugins > Affects Versions: 1.2.0 > Reporter: Vipin Rathor > Priority: Major > Fix For: 2.0.0, 1.2.1 > > Attachments: > 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch > > > *Problem Description:* > IP-based Knox policies doesn't work when Knox is behind a Load Balancer. > Because currently Ranger Knox plugin doesn't accept & pass on the > "X-Forwarded-for" header to Ranger policy engine. > *Impact:* > In an environment where Knox is running behind a Load Balancer and Knox has a > Ranger policy to allow/deny access to Hadoop services based on client IP > addresses, this won't work as expected due to this bug. > *Expected Behavior:* > 1. Knox plugin should process "X-Forwarded-for" header received from Load > Balancer and pass it on to policy engine in the form of > 'RangerAccessRequestImpl.forwardedAdresses'. > *Steps to reproduce:* > 1. Install & configure Knox behind a Load Balancer > 2. Enable Ranger Knox plugin > 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and > "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>" > 4. Define a Knox policy to allow access to user from designated client IP(s) > 5. Try to access any WebHDFS (for example) resource via Knox via Load > Balancer for designated client host. > *Workaround:* > None -- This message was sent by Atlassian JIRA (v7.6.3#76005)