[jira] [Created] (IMPALA-12505) Define a new impala flag that runs the trusted domain check on the origin if the trusted_domain_use_xff_header flag is enabled and no XFF header is received

Wed, 18 Oct 2023 06:55:04 -0700 

Gergely Farkas created IMPALA-12505:
---------------------------------------

             Summary: Define a new impala flag that runs the trusted domain 
check on the origin if the trusted_domain_use_xff_header flag is enabled and no 
XFF header is received
                 Key: IMPALA-12505
                 URL: https://issues.apache.org/jira/browse/IMPALA-12505
             Project: IMPALA
          Issue Type: Improvement
          Components: Backend
            Reporter: Gergely Farkas
            Assignee: Gergely Farkas


For an Impala running in a K8s cluster, there may be a use-case where we want 
to allow hue installed alongside Impala to have trusted domain access from 
inside the cluster, but we do not want to allow http thrift requests from 
outside the cluster to reach Impala without authentication. Requests from 
outside the cluster reach the impala daemon through a proxy server or ingress 
controller, so these http requests always have an _X-Forwarded-For_ header. On 
the other hand, requests from hue never have an _X-Forwarded-For_ header. This 
is a problematic situation, because if the trusted domain is set to the cluster 
local address and the _trusted_domain_use_xff_header_ flag is not enabled, then 
the trusted domain check will run to the origin of the request, so hue will 
work without authentication, because it will be in the trusted domain for sure, 
but requests from outside the cluster will also enter without authentication, 
because the proxy/ingress controller is an in-cluster component, so trusted 
domain check will return true for the origin in this case, too. However, if the 
_trusted_domain_use_xff_header_ flag is enabled then requests from outside the 
cluster need authentication, because they aren't originated from a cluster 
local address, and requests from hue also need authentication,  since the 
trusted domain check will not be true without an X-Forwarded-For header. 
This problem can easily be solved by following the Hiveserver behavior: If 
there is an X-Forwarded-For header in the request, the trusted domain check 
runs to the value derived from it, if there is no such header, then the check 
runs to the origin (the address sending the request). To maintain backwards 
compatibility, this behavioral change should be behind a new impala flag.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to