[
https://issues.apache.org/jira/browse/IMPALA-13335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17877411#comment-17877411
]
ASF subversion and git services commented on IMPALA-13335:
----------------------------------------------------------
Commit 3bdf1d264809cc903aa25d461f48cd7885c08604 in impala's branch
refs/heads/master from Andrew Sherman
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=3bdf1d264 ]
IMPALA-13310 Add the value of the http 'X-Forwarded-For' header to the runtime
profile
When using hs2-http protocol, http messages from Impala clients may pass
through one or more proxies before reaching the Impala coordinator.
This can make it harder to track the origin of the http messages. The
'X-Forwarded-For' header is added to or edited by HTTP proxies when
forwarding a request, so it may contain multiple source addresses. Add
the value of this header to the runtime profile so that it can be
observed.
Impala will truncate the 'X-Forwarded-For' header value at 8096
characters. Apart from this, Impala does not do any verification or
sanitization of this value, so its value should only be trusted if the
deployment environment protects against spoofing.
A good reference for understanding the use of 'X-Forwarded-For' is
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
This patch does not address the cases where http proxies insert
multiple 'X-Forwarded-For' headers. This issue is tracked in
IMPALA-13335.
TESTING: add an option '--hs2_x_forward' to impala-shell which will
set the 'X-Forwarded-For' header. Add tests which verify that the value
is set in the profile, and that a long value is truncated correctly.
Change-Id: I2e010cfb09674c5d043ef915347c3836696e03cf
Reviewed-on: http://gerrit.cloudera.org:8080/21700
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> deal with multiple http ‘X-Forwarded-For’ headers
> -------------------------------------------------
>
> Key: IMPALA-13335
> URL: https://issues.apache.org/jira/browse/IMPALA-13335
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 4.4.0
> Reporter: Andrew Sherman
> Priority: Critical
>
> When using the hs2-http protocol, Impala clients communicate with Impala by
> sending and receiving http messages. In a modern deployment environment like
> Kubernetes these http messages may travel through a series of http proxies.
> These proxies may record information about the path through the system in one
> or more ‘X-Forwarded-For’ http headers. At present Impala uses this header in
> various ways, (1) to skip Authentication for connection from a trusted
> domain, and (2) to record information about the origin of a query in the
> runtime profile. The logic for skipping authentication checks is also used in
> Impala’s webserver.
> By inspection there are problems with possible uses of ‘X-Forwarded-For’ as
> described in
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For]
> First of all if there are multiple copies of the ‘X-Forwarded-For’ header
> then Impala will only use the last of the headers that it sees, which is
> incorrect, for if there are multiple headers the first one takes priority.
> Secondly, sometimes multiple proxies chain addresses in the
> ‘X-Forwarded-For’ header as the message travels through different proxies.
> This will affect code like that that skips authentication checks as (by
> inspection) that code expects a single value.
> When dealing with these possibly theoretical problems an effort must be made
> to be practical, for example none of the http proxies that we know about
> actually insert multiple headers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
