[jira] [Work logged] (HIVE-21892) Trusted domain authentication should look at X-Forwarded-For header as well

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HIVE-21892?focusedWorklogId=263368&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-263368
 ]

ASF GitHub Bot logged work on HIVE-21892:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Jun/19 22:22
            Start Date: 19/Jun/19 22:22
    Worklog Time Spent: 10m 
      Work Description: prasanthj commented on pull request #678: HIVE-21892: 
Trusted domain authentication should look at X-Forwarded-For header as well
URL: https://github.com/apache/hive/pull/678#discussion_r295548052
 
 

 ##########
 File path: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
 ##########
 @@ -3486,6 +3486,13 @@ private static void 
populateLlapDaemonVarsSet(Set<String> llapDaemonVarsSetLocal
         " it is empty, which means that all the connections to HiveServer2 are 
authenticated. " +
         "When it is non-empty, the client has to provide a Hive user name. Any 
password, if " +
         "provided, will not be used when authentication is skipped."),
+    
HIVE_SERVER2_TRUSTED_DOMAIN_USE_XFF_HEADER("hive.server2.trusted.domain.use.xff.header",
 false,
 
 Review comment:
   adding it by default will let clients spoof with XFF headers and some 
proxies might now sanitize it correctly. In most cases, proxies will use the 
client's ip to connect to HS2 (reverse proxies) in which case we can just use 
request.getRemoteHost() and not rely on XFF. 
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 263368)
    Time Spent: 1h  (was: 50m)

> Trusted domain authentication should look at X-Forwarded-For header as well
> ---------------------------------------------------------------------------
>
>                 Key: HIVE-21892
>                 URL: https://issues.apache.org/jira/browse/HIVE-21892
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 4.0.0
>            Reporter: Prasanth Jayachandran
>            Assignee: Prasanth Jayachandran
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HIVE-21892.1.patch
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> HIVE-21783 added trusted domain authentication. However, it looks only at 
> request.getRemoteAddr() which works in most cases where there are no 
> intermediate forward/reverse proxies. In trusted domain scenarios, if there 
> intermediate proxies, the proxies typically append its own ip address 
> "X-Forwarded-For" header. The X-Forwarded-For will look like clientIp -> 
> proxyIp1 -> proxyIp2. The left most ip address in the X-Forwarded-For 
> represents the real client ip address. For such scenarios, add a config to 
> optionally look at X-Forwarded-For header when available to determine the 
> real client ip. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)