[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Joe McDonnell has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default The trusted_domain startup parameter uses reverse DNS to determine if a connection is coming from a trusted domain. For trusted_domain=localhost, reverse DNS can be unreliable, because some non-local IP ranges map to localhost. This can also cause issues with our test cases. In some test environments (Ubuntu 20.04 on AWS), IP addresses like 127.23.0.1 resolve to localhost. This adds a new startup option trusted_domain_strict_localhost, which defaults to true. When true, Impala does not do a reverse DNS request to determine if an IP address is localhost. Instead, it compares to 127.0.0.1 directly. When false, localhost uses the same reverse DNS logic as before. Testing: - Modified the existing trusted_domain tests to test with trusted_domain_strict_localhost=true and false. - Ubuntu 20.04 tests pass on an AWS machine. Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Reviewed-on: http://gerrit.cloudera.org:8080/19607 Reviewed-by: Wenzhe Zhou Tested-by: Impala Public Jenkins --- M be/src/rpc/authentication-util.cc M be/src/rpc/authentication-util.h M be/src/rpc/authentication.cc M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java 6 files changed, 82 insertions(+), 18 deletions(-) Approvals: Wenzhe Zhou: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 4 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Joe McDonnell Gerrit-Reviewer: Wenzhe Zhou
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. Patch Set 3: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Joe McDonnell Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 16 Mar 2023 20:40:21 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Joe McDonnell has posted comments on this change. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/19607/3/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java File fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java: http://gerrit.cloudera.org:8080/#/c/19607/3/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java@470 PS3, Line 470: testHiveserver2TrustedDomainAuthNonstrict > Do we need to disable this test in some environment? To make this test work consistently, it uses 126.23.0.1 rather than 127.23.0.1 for the nonstrict case. That works in all the test environments I have tried. It would have trouble if it used 127.23.0.1. -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Joe McDonnell Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 16 Mar 2023 15:53:36 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Wenzhe Zhou has posted comments on this change. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/19607/3/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java File fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java: http://gerrit.cloudera.org:8080/#/c/19607/3/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java@470 PS3, Line 470: testHiveserver2TrustedDomainAuthNonstrict Do we need to disable this test in some environment? -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 16 Mar 2023 15:50:39 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. Patch Set 3: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/9150/ DRY_RUN=true -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 16 Mar 2023 15:22:18 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Wenzhe Zhou has posted comments on this change. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. Patch Set 3: Code-Review+2 This makes sense to me. Thanks -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 16 Mar 2023 06:35:27 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/19607 ) Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. Patch Set 3: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/12629/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Wed, 15 Mar 2023 23:42:13 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11942: Restrict trusted domain=localhost to 127.0.0.1 by default
Hello Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/19607 to look at the new patch set (#3). Change subject: IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default .. IMPALA-11942: Restrict trusted_domain=localhost to 127.0.0.1 by default The trusted_domain startup parameter uses reverse DNS to determine if a connection is coming from a trusted domain. For trusted_domain=localhost, reverse DNS can be unreliable, because some non-local IP ranges map to localhost. This can also cause issues with our test cases. In some test environments (Ubuntu 20.04 on AWS), IP addresses like 127.23.0.1 resolve to localhost. This adds a new startup option trusted_domain_strict_localhost, which defaults to true. When true, Impala does not do a reverse DNS request to determine if an IP address is localhost. Instead, it compares to 127.0.0.1 directly. When false, localhost uses the same reverse DNS logic as before. Testing: - Modified the existing trusted_domain tests to test with trusted_domain_strict_localhost=true and false. - Ubuntu 20.04 tests pass on an AWS machine. Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b --- M be/src/rpc/authentication-util.cc M be/src/rpc/authentication-util.h M be/src/rpc/authentication.cc M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java 6 files changed, 82 insertions(+), 18 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/07/19607/3 -- To view, visit http://gerrit.cloudera.org:8080/19607 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I5915cdd812d461366a421a739c18afecef44fb5b Gerrit-Change-Number: 19607 Gerrit-PatchSet: 3 Gerrit-Owner: Joe McDonnell Gerrit-Reviewer: Impala Public Jenkins
