[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Michael Smith has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set This change defines a new impala flag called 'trusted_domain_empty_xff_header_use_origin', which modifies the trusted domain check to work as follows if the trusted_domain and trusted_domain_use_xff_header flags are set: If there is an X-Forwarded-For header in the request, the trusted domain check runs to the value derived from it, if there is no such header, then the check runs to the origin (the address sending the request). Note: If there is an X-Forwarded-For header in the request or the trusted_domain_use_xff_header flag or trusted_domain flag is not set, then the behavior is not changed. Tested with new custom cluster tests. Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Reviewed-on: http://gerrit.cloudera.org:8080/20591 Reviewed-by: Csaba Ringhofer Tested-by: Impala Public Jenkins Reviewed-by: Michael Smith --- M be/src/rpc/authentication.cc M be/src/transport/THttpServer.cpp M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java 5 files changed, 133 insertions(+), 0 deletions(-) Approvals: Csaba Ringhofer: Looks good to me, but someone else must approve Impala Public Jenkins: Verified Michael Smith: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 5 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Michael Smith
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Michael Smith has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 4: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Michael Smith Gerrit-Comment-Date: Wed, 15 Nov 2023 22:10:36 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 4: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 15:46:42 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 4: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/9924/ DRY_RUN=true -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 11:20:31 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 4: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/14437/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 11:12:58 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 3: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/14436/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 3 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 11:05:35 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 4: Code-Review+1 -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 10:52:53 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Hello Csaba Ringhofer, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/20591 to look at the new patch set (#4). Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set This change defines a new impala flag called 'trusted_domain_empty_xff_header_use_origin', which modifies the trusted domain check to work as follows if the trusted_domain and trusted_domain_use_xff_header flags are set: If there is an X-Forwarded-For header in the request, the trusted domain check runs to the value derived from it, if there is no such header, then the check runs to the origin (the address sending the request). Note: If there is an X-Forwarded-For header in the request or the trusted_domain_use_xff_header flag or trusted_domain flag is not set, then the behavior is not changed. Tested with new custom cluster tests. Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 --- M be/src/rpc/authentication.cc M be/src/transport/THttpServer.cpp M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java 5 files changed, 133 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/91/20591/4 -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 3: Code-Review+1 -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 3 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 10:44:34 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Gergely Farkas has posted comments on this change. ( http://gerrit.cloudera.org:8080/20591 ) Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. Patch Set 3: (4 comments) http://gerrit.cloudera.org:8080/#/c/20591/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/20591/2//COMMIT_MSG@7 PS2, Line 7: Add flag for trusted domain check to use 'origin' : if xff header is not set : > It would be nice to have a shorter first line, e.g. "Add flag for trusted d Sure, I've updated it. Thanks for the suggestion and the review! http://gerrit.cloudera.org:8080/#/c/20591/2//COMMIT_MSG@11 PS2, Line 11: use_ > The flag name could be mentioned You are right! http://gerrit.cloudera.org:8080/#/c/20591/2/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java File fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java: http://gerrit.cloudera.org:8080/#/c/20591/2/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java@506 PS2, Line 506: > Can you add some negative tests too (also in webserver tests)? I added those testcases to hs2 and webserver tests. Thanks! http://gerrit.cloudera.org:8080/#/c/20591/2/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java@518 PS2, Line 518: verifyMetrics(0, 0); > This could be also verified to be 0 at the beginning. Done -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 3 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Gergely Farkas Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Tue, 14 Nov 2023 10:42:10 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set
Hello Csaba Ringhofer, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/20591 to look at the new patch set (#3). Change subject: IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set .. IMPALA-12505: Add flag for trusted domain check to use 'origin' if xff header is not set This change defines a new impala flag called 'trusted_domain_empty_xff_header_use_origin', which modifies the trusted domain check to work as follows if the trusted_domain and trusted_domain_use_xff_header flags are set: If there is an X-Forwarded-For header in the request, the trusted domain check runs to the value derived from it, if there is no such header, then the check runs to the origin (the address sending the request). Note: If there is an X-Forwarded-For header in the request or the trusted_domain_use_xff_header flag or trusted_domain flag is not set, then the behavior is not changed. Tested with new custom cluster tests. Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 --- M be/src/rpc/authentication.cc M be/src/transport/THttpServer.cpp M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java 5 files changed, 134 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/91/20591/3 -- To view, visit http://gerrit.cloudera.org:8080/20591 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I58e5d1119527139eafaa411b55517b10bf394bb2 Gerrit-Change-Number: 20591 Gerrit-PatchSet: 3 Gerrit-Owner: Gergely Farkas Gerrit-Reviewer: Csaba Ringhofer Gerrit-Reviewer: Impala Public Jenkins
