[
https://issues.apache.org/jira/browse/IMPALA-13312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17885385#comment-17885385
]
ASF subversion and git services commented on IMPALA-13312:
----------------------------------------------------------
Commit 8fea75cb5ce206ad071859bb331fa4811573cf4b in impala's branch
refs/heads/master from Abhishek Rawat
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=8fea75cb5 ]
IMPALA-13312: Use client address from X-Forwarded-For Header in Ranger Audit
Logs
Added backend flag 'use_xff_address_as_origin' for using the client IP
address from 'X-Forwarded-For' HTTP header as the origin of HTTP
connection. The origin IP address in the SessionState is used by the
ranger client for both authorization (RangerAccessRequestImpl) and
auditing (RangerBufferAuditHandler). Impala does not do any verification
or sanitization of this IP address, so its value should only be trusted
if the deployment environment protects against spoofing.
Also, added a new function 'GetXFFOriginClientAddress' for parsing XFF
header with comma separated IP addresses, which is the most common form
of XFF header representing client and intermediate proxies:
X-Forwarded-For: <client>, <proxy1>, <proxy2>
'GetXFFOriginClientAddress' is now also used for getting the client IP
from XFF header in existing use cases such as trusted domain based
authentication for both HS2 HTTP server and web server.
Testing:
- Added unit tests for the new GetXFFOriginClientAddress function for
parsing comma separated IP addresses in XFF header
- Updated existing tests for trusted domain authentication to use
XFF with comma separated IP addresses
- Added custom cluster test which ensures that client IP address from
XFF header is included in the ranger audit logs.
Change-Id: Ib784ad805c649e9576ef34f125509c904b7773ab
Reviewed-on: http://gerrit.cloudera.org:8080/21780
Reviewed-by: Abhishek Rawat <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Use client address from X-Forwarded-For Header in Ranger Audit Logs
> -------------------------------------------------------------------
>
> Key: IMPALA-13312
> URL: https://issues.apache.org/jira/browse/IMPALA-13312
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Abhishek Rawat
> Assignee: Abhishek Rawat
> Priority: Critical
>
> Impala doesn't forward client IP Address in the XFF header to Ranger and
> instead forwards the intermediate proxy's IP address which connects to
> Impala. It may be useful to log the original client's IP address in the
> ranger audit logs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
