Andrew Sherman created IMPALA-13335:
---------------------------------------
Summary: deal with multiple http ‘X-Forwarded-For’ headers
Key: IMPALA-13335
URL: https://issues.apache.org/jira/browse/IMPALA-13335
Project: IMPALA
Issue Type: Bug
Components: Backend
Affects Versions: Impala 4.4.0
Reporter: Andrew Sherman
When using the hs2-http protocol, Impala clients communicate with Impala by
sending and receiving http messages. In a modern deployment environment like
Kubernetes these http messages may travel through a series of http proxies.
These proxies may record information about the path through the system in one
or more ‘X-Forwarded-For’ http headers. At present Impala uses this header in
various ways, (1) to skip Authentication for connection from a trusted domain,
and (2) to record information about the origin of a query in the runtime
profile. The logic for skipping authentication checks is also used in Impala’s
webserver.
By inspection there are problems with possible uses of ‘X-Forwarded-For’ as
described in
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For]
First of all if there are multiple copies of the ‘X-Forwarded-For’ header then
Impala will only use the last of the headers that it sees, which is incorrect,
for if there are multiple headers the first one takes priority.
Secondly, sometimes multiple proxies chain addresses in the ‘X-Forwarded-For’
header as the message travels through different proxies. This will affect code
like that that skips authentication checks as (by inspection) that code expects
a single value.
When dealing with these possibly theoretical problems an effort must be made to
be practical, for example none of the http proxies that we know about actually
insert multiple headers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
