[
https://issues.apache.org/jira/browse/RANGER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16712365#comment-16712365
]
Ramesh Mani commented on RANGER-2306:
-------------------------------------
+1
Thanks [~vrathor-hw] for the contribution.
> Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
> -----------------------------------------------------------------
>
> Key: RANGER-2306
> URL: https://issues.apache.org/jira/browse/RANGER-2306
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 1.2.0
> Reporter: Vipin Rathor
> Priority: Major
> Attachments:
> 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch
>
>
> *Problem Description:*
> IP-based Knox policies doesn't work when Knox is behind a Load Balancer.
> Because currently Ranger Knox plugin doesn't accept & pass on the
> "X-Forwarded-for" header to Ranger policy engine.
> *Impact:*
> In an environment where Knox is running behind a Load Balancer and Knox has a
> Ranger policy to allow/deny access to Hadoop services based on client IP
> addresses, this won't work as expected due to this bug.
> *Expected Behavior:*
> 1. Knox plugin should process "X-Forwarded-for" header received from Load
> Balancer and pass it on to policy engine in the form of
> 'RangerAccessRequestImpl.forwardedAdresses'.
> *Steps to reproduce:*
> 1. Install & configure Knox behind a Load Balancer
> 2. Enable Ranger Knox plugin
> 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and
> "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>"
> 4. Define a Knox policy to allow access to user from designated client IP(s)
> 5. Try to access any WebHDFS (for example) resource via Knox via Load
> Balancer for designated client host.
> *Workaround:*
> None
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
