Hi Tom, Please take a look at RANGER-962<https://issues.apache.org/jira/browse/RANGER-962>. This is still being worked as it has dependency on Hive. Also, although this is specific to Hive, it may be extended to Hbase as well if/when Hbase supports X-Forwarded-For header. Current design of this feature supports user supplied list of trusted proxies (through a configuration proprerty) for whom the X-Forwarded-For header will be read and used.
This is not part of Ranger 0.6 Geolocation based policies. Also, it does not address Knox Ranger Plugin. Thanks, -Abhay From: "Ellis, Tom (Financial Markets IT)" <tom.el...@lloydsbanking.com<mailto:tom.el...@lloydsbanking.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Thursday, June 2, 2016 at 1:45 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: RE: Knox X-Forwarded-For IP Policy Hi Abhay, Can you elaborate on this? Is this part of the Ranger 0.6 Geolocation based policies or something different? Is HBase included in these downstream components? Where is the source for this? From: Abhay Kulkarni [mailto:akulka...@hortonworks.com] Sent: 01 June 2016 23:18 To: user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org> Subject: Re: Knox X-Forwarded-For IP Policy -- This email has reached the Bank via an external source -- Ranger authorization plugin in downstream components (such as Hive) will do exactly this. It will use the IP address in X-Forwarded-For header only if the remote-ip-address is address of one of the known and trusted nodes. Thanks, -Abhay From: Larry McCay <lmc...@hortonworks.com<mailto:lmc...@hortonworks.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, June 1, 2016 at 10:38 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Knox X-Forwarded-For IP Policy I think that we need to be careful to not add something even more spoofable than ip address. This may be acceptable if you were to check not only the header but also that the ip is that of a known proxy. On Jun 1, 2016, at 12:13 PM, Ramesh Mani <rm...@hortonworks.com<mailto:rm...@hortonworks.com>> wrote: Tom, Would you like to create a ranger jira and provide a patch for it? Thanks, Ramesh From: "Ellis, Tom (Financial Markets IT)" <tom.el...@lloydsbanking.com<mailto:tom.el...@lloydsbanking.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, June 1, 2016 at 4:13 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Knox X-Forwarded-For IP Policy Hi, The Knox Ranger Plugin will use the request's remote address when authorizing at IP level, but this could obviously be a proxy. Is there any support for authorizing based on an X-Forwarded-For header (assuming this has been propagated down correctly)? Cheers, Tom Ellis Consultant Developer - Excelian Data Lake | Financial Markets IT LLOYDS BANK COMMERCIAL BANKING ________________________________ E: tom.el...@lloydsbanking.com<mailto:tom.el...@lloydsbanking.com> Website: www.lloydsbankcommercial.com<http://www.lloydsbankcommercial.com/> , , , Reduce printing. Lloyds Banking Group is helping to build the low carbon economy. Corporate Responsibility Report:www.lloydsbankinggroup-cr.com/downloads<http://www.lloydsbankinggroup-cr.com/downloads> Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637 Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority. Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc. HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813. This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded. Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637 Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority. Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc. HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813. This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
