[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default

Thu, 16 Mar 2023 14:40:22 -0700 

Joe McDonnell has submitted this change and it was merged. ( 
http://gerrit.cloudera.org:8080/19607 )

Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by 
default
......................................................................

IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default

The trusted_domain startup parameter uses reverse DNS to determine
if a connection is coming from a trusted domain. For
trusted_domain=localhost, reverse DNS can be unreliable, because
some non-local IP ranges map to localhost. This can also cause
issues with our test cases. In some test environments (Ubuntu 20.04
on AWS), IP addresses like 127.23.0.1 resolve to localhost.

This adds a new startup option trusted_domain_strict_localhost,
which defaults to true. When true, Impala does not do a reverse
DNS request to determine if an IP address is localhost. Instead,
it compares to 127.0.0.1 directly. When false, localhost uses
the same reverse DNS logic as before.

Testing:
 - Modified the existing trusted_domain tests to test with
   trusted_domain_strict_localhost=true and false.
 - Ubuntu 20.04 tests pass on an AWS machine.

Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b
Reviewed-on: http://gerrit.cloudera.org:8080/19607
Reviewed-by: Wenzhe Zhou <wz...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
---
M be/src/rpc/authentication-util.cc
M be/src/rpc/authentication-util.h
M be/src/rpc/authentication.cc
M be/src/util/webserver.cc
M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java
M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java
6 files changed, 82 insertions(+), 18 deletions(-)

Approvals:
  Wenzhe Zhou: Looks good to me, approved
  Impala Public Jenkins: Verified

--
To view, visit http://gerrit.cloudera.org:8080/19607
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b
Gerrit-Change-Number: 19607
Gerrit-PatchSet: 4
Gerrit-Owner: Joe McDonnell <joemcdonn...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <joemcdonn...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>

Reply via email to