Abhishek Rawat has uploaded this change for review. ( http://gerrit.cloudera.org:8080/21780
Change subject: IMPALA-13312: Use client address from X-Forwarded-For Header in Ranger Audit Logs ...................................................................... IMPALA-13312: Use client address from X-Forwarded-For Header in Ranger Audit Logs Added backend flag 'use_xff_address_as_origin' for using the client IP address from 'X-Forwarded-For' HTTP header as the origin of HTTP connection. The origin IP address in the SessionState is used by the ranger client for both authorization (RangerAccessRequestImpl) and auditing (RangerBufferAuditHandler). Also, added a new function 'GetXFFOriginClientAddress' for parsing XFF header with comma separated IP addresses, which is the most common form of XFF header representing client and intermediate proxies: X-Forwarded-For: <client>, <proxy1>, <proxy2> 'GetXFFOriginClientAddress' is now also used for getting the client IP from XFF header in existing use cases such as trusted domain based authentication for both HS2 HTTP server and web server. Testing: - Added unit tests for the new GetXFFOriginClientAddress function for parsing comma separated IP addresses in XFF header - Updated existing tests for trusted domain authentication to use XFF with comma separated IP addresses - Added custom cluster test which ensures that client IP address from XFF header is included in the ranger audit logs. Change-Id: Ib784ad805c649e9576ef34f125509c904b7773ab --- M be/src/rpc/authentication-test.cc M be/src/rpc/authentication-util.cc M be/src/rpc/authentication-util.h M be/src/rpc/authentication.cc M be/src/transport/THttpServer.cpp M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M tests/authorization/test_ranger.py M tests/common/custom_cluster_test_suite.py M tests/custom_cluster/test_shell_jwt_auth.py 11 files changed, 207 insertions(+), 47 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/80/21780/1 -- To view, visit http://gerrit.cloudera.org:8080/21780 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Ib784ad805c649e9576ef34f125509c904b7773ab Gerrit-Change-Number: 21780 Gerrit-PatchSet: 1 Gerrit-Owner: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
