Abhishek Rawat has uploaded a new patch set (#5). ( http://gerrit.cloudera.org:8080/21780 )
Change subject: IMPALA-13312: Use client address from X-Forwarded-For Header in Ranger Audit Logs ...................................................................... IMPALA-13312: Use client address from X-Forwarded-For Header in Ranger Audit Logs Added backend flag 'use_xff_address_as_origin' for using the client IP address from 'X-Forwarded-For' HTTP header as the origin of HTTP connection. The origin IP address in the SessionState is used by the ranger client for both authorization (RangerAccessRequestImpl) and auditing (RangerBufferAuditHandler). Impala does not do any verification or sanitization of this IP address, so its value should only be trusted if the deployment environment protects against spoofing. Also, added a new function 'GetXFFOriginClientAddress' for parsing XFF header with comma separated IP addresses, which is the most common form of XFF header representing client and intermediate proxies: X-Forwarded-For: <client>, <proxy1>, <proxy2> 'GetXFFOriginClientAddress' is now also used for getting the client IP from XFF header in existing use cases such as trusted domain based authentication for both HS2 HTTP server and web server. Testing: - Added unit tests for the new GetXFFOriginClientAddress function for parsing comma separated IP addresses in XFF header - Updated existing tests for trusted domain authentication to use XFF with comma separated IP addresses - Added custom cluster test which ensures that client IP address from XFF header is included in the ranger audit logs. Change-Id: Ib784ad805c649e9576ef34f125509c904b7773ab --- M be/src/rpc/authentication-test.cc M be/src/rpc/authentication-util.cc M be/src/rpc/authentication-util.h M be/src/rpc/authentication.cc M be/src/transport/THttpServer.cpp M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M tests/authorization/test_ranger.py 9 files changed, 182 insertions(+), 12 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/80/21780/5 -- To view, visit http://gerrit.cloudera.org:8080/21780 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ib784ad805c649e9576ef34f125509c904b7773ab Gerrit-Change-Number: 21780 Gerrit-PatchSet: 5 Gerrit-Owner: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Andrew Sherman <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Reviewer: gaurav singh <[email protected]>
