[
https://issues.apache.org/jira/browse/IMPALA-13335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925093#comment-17925093
]
ASF subversion and git services commented on IMPALA-13335:
----------------------------------------------------------
Commit 17b16f8ab5a89db1f3f18b5f7fd7f8a200c34fd5 in impala's branch
refs/heads/master from Andrew Sherman
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=17b16f8ab ]
IMPALA-13335: ignore duplicate ‘X-Forwarded-For’ headers
When using the hs2-http protocol, Impala clients communicate with Impala
by sending and receiving http messages. In a modern deployment
environment like Kubernetes these http messages may travel through a
series of http proxies. These proxies may record information about the
path through the system in one or more ‘X-Forwarded-For’ http headers.
At present Impala uses this header in various ways, (1) to skip
Authentication for connection from a trusted domain, and (2) to record
information about the origin of a query in the runtime profile.
If there are multiple copies of the ‘X-Forwarded-For’ header then
Impala should only use the first of these headers that it sees.
For reference see details in
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
We have to be careful to reset the 'origin_' field in THttpServer after
headers have been processed. This allows the field to reused when a new
HTTP message is processed. As part of this a variable in
headersDone() is renamed to avoid multiple variables called 'origin'.
TESTING
Add a new test which uses a new Impyla mechanism from release 0.21a1 to
add multiple headers to its http messages.
Change-Id: Iee7b452842aa391d285bd445d6a9e6cbbedd7fbb
Reviewed-on: http://gerrit.cloudera.org:8080/22186
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> deal with multiple http ‘X-Forwarded-For’ headers
> -------------------------------------------------
>
> Key: IMPALA-13335
> URL: https://issues.apache.org/jira/browse/IMPALA-13335
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 4.4.0
> Reporter: Andrew Sherman
> Assignee: Andrew Sherman
> Priority: Critical
>
> When using the hs2-http protocol, Impala clients communicate with Impala by
> sending and receiving http messages. In a modern deployment environment like
> Kubernetes these http messages may travel through a series of http proxies.
> These proxies may record information about the path through the system in one
> or more ‘X-Forwarded-For’ http headers. At present Impala uses this header in
> various ways, (1) to skip Authentication for connection from a trusted
> domain, and (2) to record information about the origin of a query in the
> runtime profile. The logic for skipping authentication checks is also used in
> Impala’s webserver.
> By inspection there are problems with possible uses of ‘X-Forwarded-For’ as
> described in
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For]
> First of all if there are multiple copies of the ‘X-Forwarded-For’ header
> then Impala will only use the last of the headers that it sees, which is
> incorrect, for if there are multiple headers the first one takes priority.
> Secondly, sometimes multiple proxies chain addresses in the
> ‘X-Forwarded-For’ header as the message travels through different proxies.
> This will affect code like that that skips authentication checks as (by
> inspection) that code expects a single value.
> When dealing with these possibly theoretical problems an effort must be made
> to be practical, for example none of the http proxies that we know about
> actually insert multiple headers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
