Gergely Farkas created IMPALA-12505: ---------------------------------------
Summary: Define a new impala flag that runs the trusted domain check on the origin if the trusted_domain_use_xff_header flag is enabled and no XFF header is received Key: IMPALA-12505 URL: https://issues.apache.org/jira/browse/IMPALA-12505 Project: IMPALA Issue Type: Improvement Components: Backend Reporter: Gergely Farkas Assignee: Gergely Farkas For an Impala running in a K8s cluster, there may be a use-case where we want to allow hue installed alongside Impala to have trusted domain access from inside the cluster, but we do not want to allow http thrift requests from outside the cluster to reach Impala without authentication. Requests from outside the cluster reach the impala daemon through a proxy server or ingress controller, so these http requests always have an _X-Forwarded-For_ header. On the other hand, requests from hue never have an _X-Forwarded-For_ header. This is a problematic situation, because if the trusted domain is set to the cluster local address and the _trusted_domain_use_xff_header_ flag is not enabled, then the trusted domain check will run to the origin of the request, so hue will work without authentication, because it will be in the trusted domain for sure, but requests from outside the cluster will also enter without authentication, because the proxy/ingress controller is an in-cluster component, so trusted domain check will return true for the origin in this case, too. However, if the _trusted_domain_use_xff_header_ flag is enabled then requests from outside the cluster need authentication, because they aren't originated from a cluster local address, and requests from hue also need authentication, since the trusted domain check will not be true without an X-Forwarded-For header. This problem can easily be solved by following the Hiveserver behavior: If there is an X-Forwarded-For header in the request, the trusted domain check runs to the value derived from it, if there is no such header, then the check runs to the origin (the address sending the request). To maintain backwards compatibility, this behavioral change should be behind a new impala flag. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org