[
https://issues.apache.org/jira/browse/IMPALA-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Smith resolved IMPALA-12505.
------------------------------------
Fix Version/s: Impala 4.4.0
Resolution: Fixed
> Define a new impala flag that runs the trusted domain check on the origin if
> the trusted_domain_use_xff_header flag is enabled and no XFF header is
> received
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-12505
> URL: https://issues.apache.org/jira/browse/IMPALA-12505
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Reporter: Gergely Farkas
> Assignee: Gergely Farkas
> Priority: Major
> Fix For: Impala 4.4.0
>
>
> For an Impala running in a K8s cluster, there may be a use-case where we want
> to allow hue installed alongside Impala to have trusted domain access from
> inside the cluster, but we do not want to allow http thrift requests from
> outside the cluster to reach Impala without authentication. Requests from
> outside the cluster reach the impala daemon through a proxy server or ingress
> controller, so these http requests always have an _X-Forwarded-For_ header.
> On the other hand, requests from hue never have an _X-Forwarded-For_ header.
> This is a problematic situation, because if the trusted domain is set to the
> cluster local address and the _trusted_domain_use_xff_header_ flag is not
> enabled, then the trusted domain check will run to the origin of the request,
> so hue will work without authentication, because it will be in the trusted
> domain for sure, but requests from outside the cluster will also enter
> without authentication, because the proxy/ingress controller is an in-cluster
> component, so trusted domain check will return true for the origin in this
> case, too. However, if the _trusted_domain_use_xff_header_ flag is enabled
> then requests from outside the cluster need authentication, because they
> aren't originated from a cluster local address, and requests from hue also
> need authentication, since the trusted domain check will not be true without
> an X-Forwarded-For header.
> This problem can easily be solved by following the Hiveserver behavior: If
> there is an X-Forwarded-For header in the request, the trusted domain check
> runs to the value derived from it, if there is no such header, then the check
> runs to the origin (the address sending the request). To maintain backwards
> compatibility, this behavioral change should be behind a new impala flag.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
