[
https://issues.apache.org/jira/browse/IMPALA-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17786517#comment-17786517
]
ASF subversion and git services commented on IMPALA-12505:
----------------------------------------------------------
Commit 19d2425bb0f4593e3d10a072d67e6cacc037f436 in impala's branch
refs/heads/master from Gergely Farkas
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=19d2425bb ]
IMPALA-12505: Add flag for trusted domain check to use 'origin'
if xff header is not set
This change defines a new impala flag called
'trusted_domain_empty_xff_header_use_origin', which modifies
the trusted domain check to work as follows if the trusted_domain
and trusted_domain_use_xff_header flags are set:
If there is an X-Forwarded-For header in the request, the trusted
domain check runs to the value derived from it, if there is no such
header, then the check runs to the origin (the address sending the
request).
Note: If there is an X-Forwarded-For header in the request or
the trusted_domain_use_xff_header flag or trusted_domain flag is
not set, then the behavior is not changed.
Tested with new custom cluster tests.
Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2
Reviewed-on: http://gerrit.cloudera.org:8080/20591
Reviewed-by: Csaba Ringhofer <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Michael Smith <[email protected]>
> Define a new impala flag that runs the trusted domain check on the origin if
> the trusted_domain_use_xff_header flag is enabled and no XFF header is
> received
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-12505
> URL: https://issues.apache.org/jira/browse/IMPALA-12505
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Reporter: Gergely Farkas
> Assignee: Gergely Farkas
> Priority: Major
> Fix For: Impala 4.4.0
>
>
> For an Impala running in a K8s cluster, there may be a use-case where we want
> to allow hue installed alongside Impala to have trusted domain access from
> inside the cluster, but we do not want to allow http thrift requests from
> outside the cluster to reach Impala without authentication. Requests from
> outside the cluster reach the impala daemon through a proxy server or ingress
> controller, so these http requests always have an _X-Forwarded-For_ header.
> On the other hand, requests from hue never have an _X-Forwarded-For_ header.
> This is a problematic situation, because if the trusted domain is set to the
> cluster local address and the _trusted_domain_use_xff_header_ flag is not
> enabled, then the trusted domain check will run to the origin of the request,
> so hue will work without authentication, because it will be in the trusted
> domain for sure, but requests from outside the cluster will also enter
> without authentication, because the proxy/ingress controller is an in-cluster
> component, so trusted domain check will return true for the origin in this
> case, too. However, if the _trusted_domain_use_xff_header_ flag is enabled
> then requests from outside the cluster need authentication, because they
> aren't originated from a cluster local address, and requests from hue also
> need authentication, since the trusted domain check will not be true without
> an X-Forwarded-For header.
> This problem can easily be solved by following the Hiveserver behavior: If
> there is an X-Forwarded-For header in the request, the trusted domain check
> runs to the value derived from it, if there is no such header, then the check
> runs to the origin (the address sending the request). To maintain backwards
> compatibility, this behavioral change should be behind a new impala flag.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
