Joe McDonnell created IMPALA-11942:
--------------------------------------
Summary: Consider restricting --trusted_domain=localhost to
127.0.0.1
Key: IMPALA-11942
URL: https://issues.apache.org/jira/browse/IMPALA-11942
Project: IMPALA
Issue Type: Bug
Components: Backend
Affects Versions: Impala 4.3.0
Reporter: Joe McDonnell
The trusted domain feature introduced in IMPALA-10210 allows avoiding
authentication when coming from a trusted domain (controlled by the
trusted_domain startup flag).
In some of our tests, we set this to localhost, and we've noticed that on
Ubuntu 20 in AWS, some addresses other than 127.0.0.1 resolve back to localhost
(e.g. 127.23.0.1 resolves to localhost). This causes test failures on Ubuntu 20
running on an AWS machine.
In general, reverse DNS can be attacked to resolve other IP addresses back to
localhost. We should look into restricting --trusted_domain=localhost to
127.0.0.1 so that the attacks on reverse DNS can't impact security.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
