[ https://issues.apache.org/jira/browse/IMPALA-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Smith resolved IMPALA-12505. ------------------------------------ Fix Version/s: Impala 4.4.0 Resolution: Fixed > Define a new impala flag that runs the trusted domain check on the origin if > the trusted_domain_use_xff_header flag is enabled and no XFF header is > received > ------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Key: IMPALA-12505 > URL: https://issues.apache.org/jira/browse/IMPALA-12505 > Project: IMPALA > Issue Type: Improvement > Components: Backend > Reporter: Gergely Farkas > Assignee: Gergely Farkas > Priority: Major > Fix For: Impala 4.4.0 > > > For an Impala running in a K8s cluster, there may be a use-case where we want > to allow hue installed alongside Impala to have trusted domain access from > inside the cluster, but we do not want to allow http thrift requests from > outside the cluster to reach Impala without authentication. Requests from > outside the cluster reach the impala daemon through a proxy server or ingress > controller, so these http requests always have an _X-Forwarded-For_ header. > On the other hand, requests from hue never have an _X-Forwarded-For_ header. > This is a problematic situation, because if the trusted domain is set to the > cluster local address and the _trusted_domain_use_xff_header_ flag is not > enabled, then the trusted domain check will run to the origin of the request, > so hue will work without authentication, because it will be in the trusted > domain for sure, but requests from outside the cluster will also enter > without authentication, because the proxy/ingress controller is an in-cluster > component, so trusted domain check will return true for the origin in this > case, too. However, if the _trusted_domain_use_xff_header_ flag is enabled > then requests from outside the cluster need authentication, because they > aren't originated from a cluster local address, and requests from hue also > need authentication, since the trusted domain check will not be true without > an X-Forwarded-For header. > This problem can easily be solved by following the Hiveserver behavior: If > there is an X-Forwarded-For header in the request, the trusted domain check > runs to the value derived from it, if there is no such header, then the check > runs to the origin (the address sending the request). To maintain backwards > compatibility, this behavioral change should be behind a new impala flag. -- This message was sent by Atlassian Jira (v8.20.10#820010)