[jira] [Resolved] (IMPALA-13335) deal with multiple http ‘X-Forwarded-For’ headers

Fri, 07 Feb 2025 15:42:08 -0800 


     [ 
https://issues.apache.org/jira/browse/IMPALA-13335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Sherman resolved IMPALA-13335.
-------------------------------------
    Fix Version/s: Impala 4.6.0
       Resolution: Fixed

> deal with multiple http ‘X-Forwarded-For’ headers
> -------------------------------------------------
>
>                 Key: IMPALA-13335
>                 URL: https://issues.apache.org/jira/browse/IMPALA-13335
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Backend
>    Affects Versions: Impala 4.4.0
>            Reporter: Andrew Sherman
>            Assignee: Andrew Sherman
>            Priority: Critical
>             Fix For: Impala 4.6.0
>
>
> When using the hs2-http protocol, Impala clients communicate with Impala by 
> sending and receiving http messages. In a modern deployment environment like 
> Kubernetes these http messages may travel through a series of http proxies. 
> These proxies may record information about the path through the system in one 
> or more ‘X-Forwarded-For’ http headers. At present Impala uses this header in 
> various ways, (1) to skip Authentication for connection from a trusted 
> domain, and (2) to record information about the origin of a query in the 
> runtime profile. The logic for skipping authentication checks is also used in 
> Impala’s webserver.
> By inspection there are problems with possible uses of  ‘X-Forwarded-For’ as 
> described in 
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For] 
> First of all if there are multiple copies of the ‘X-Forwarded-For’ header 
> then Impala will only use the last of the headers that it sees, which is 
> incorrect, for if there are multiple headers the first one takes priority.
> Secondly, sometimes multiple proxies chain addresses in the  
> ‘X-Forwarded-For’ header as the message travels through different proxies. 
> This will affect code like that that skips authentication checks as (by 
> inspection) that code expects a single value.
> When dealing with these possibly theoretical problems an effort must be made 
> to be practical, for example none of the http proxies that we know about 
> actually insert multiple headers.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to