[jira] [Resolved] (IMPALA-12505) Define a new impala flag that runs the trusted domain check on the origin if the trusted_domain_use_xff_header flag is enabled and no XFF header is received

Wed, 15 Nov 2023 14:11:09 -0800 


     [ 
https://issues.apache.org/jira/browse/IMPALA-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Smith resolved IMPALA-12505.
------------------------------------
    Fix Version/s: Impala 4.4.0
       Resolution: Fixed

> Define a new impala flag that runs the trusted domain check on the origin if 
> the trusted_domain_use_xff_header flag is enabled and no XFF header is 
> received
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-12505
>                 URL: https://issues.apache.org/jira/browse/IMPALA-12505
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend
>            Reporter: Gergely Farkas
>            Assignee: Gergely Farkas
>            Priority: Major
>             Fix For: Impala 4.4.0
>
>
> For an Impala running in a K8s cluster, there may be a use-case where we want 
> to allow hue installed alongside Impala to have trusted domain access from 
> inside the cluster, but we do not want to allow http thrift requests from 
> outside the cluster to reach Impala without authentication. Requests from 
> outside the cluster reach the impala daemon through a proxy server or ingress 
> controller, so these http requests always have an _X-Forwarded-For_ header. 
> On the other hand, requests from hue never have an _X-Forwarded-For_ header. 
> This is a problematic situation, because if the trusted domain is set to the 
> cluster local address and the _trusted_domain_use_xff_header_ flag is not 
> enabled, then the trusted domain check will run to the origin of the request, 
> so hue will work without authentication, because it will be in the trusted 
> domain for sure, but requests from outside the cluster will also enter 
> without authentication, because the proxy/ingress controller is an in-cluster 
> component, so trusted domain check will return true for the origin in this 
> case, too. However, if the _trusted_domain_use_xff_header_ flag is enabled 
> then requests from outside the cluster need authentication, because they 
> aren't originated from a cluster local address, and requests from hue also 
> need authentication,  since the trusted domain check will not be true without 
> an X-Forwarded-For header. 
> This problem can easily be solved by following the Hiveserver behavior: If 
> there is an X-Forwarded-For header in the request, the trusted domain check 
> runs to the value derived from it, if there is no such header, then the check 
> runs to the origin (the address sending the request). To maintain backwards 
> compatibility, this behavioral change should be behind a new impala flag.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to