[
https://issues.apache.org/jira/browse/IMPALA-11942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe McDonnell resolved IMPALA-11942.
------------------------------------
Fix Version/s: Impala 4.3.0
Resolution: Fixed
> Consider restricting --trusted_domain=localhost to 127.0.0.1
> ------------------------------------------------------------
>
> Key: IMPALA-11942
> URL: https://issues.apache.org/jira/browse/IMPALA-11942
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 4.3.0
> Reporter: Joe McDonnell
> Assignee: Joe McDonnell
> Priority: Major
> Fix For: Impala 4.3.0
>
>
> The trusted domain feature introduced in IMPALA-10210 allows avoiding
> authentication when coming from a trusted domain (controlled by the
> trusted_domain startup flag).
> In some of our tests, we set this to localhost, and we've noticed that on
> Ubuntu 20 in AWS, some addresses other than 127.0.0.1 resolve back to
> localhost (e.g. 127.23.0.1 resolves to localhost). This causes test failures
> on Ubuntu 20 running on an AWS machine.
> In general, reverse DNS can be attacked to resolve other IP addresses back to
> localhost. We should look into restricting --trusted_domain=localhost to
> 127.0.0.1 so that the attacks on reverse DNS can't impact security.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
