ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vipin Rathor (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
Date Fri, 07 Dec 2018 02:12:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Vipin Rathor updated RANGER-2306:
    Attachment: 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch

> Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
> -----------------------------------------------------------------
>                 Key: RANGER-2306
>                 URL: https://issues.apache.org/jira/browse/RANGER-2306
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 1.2.0
>            Reporter: Vipin Rathor
>            Priority: Major
>         Attachments: 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch
> *Problem Description:*
>  IP-based Knox policies doesn't work when Knox is behind a Load Balancer. Because currently
Ranger Knox plugin doesn't accept & pass on the "X-Forwarded-for" header to Ranger policy
> *Impact:*
> In an environment where Knox is running behind a Load Balancer and Knox has a Ranger
policy to allow/deny access to Hadoop services based on client IP addresses, this won't work
as expected due to this bug.
> *Expected Behavior:*
>  1. Knox plugin should process "X-Forwarded-for" header received from Load Balancer and
pass it on to policy engine in the form of 'RangerAccessRequestImpl.forwardedAdresses'.
> *Steps to reproduce:*
>  1. Install & configure Knox behind a Load Balancer
> 2. Enable Ranger Knox plugin
> 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>"
> 4. Define a Knox policy to allow access to user from designated client IP(s)
> 5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer for designated
client host.
> *Workaround:*
> None

This message was sent by Atlassian JIRA

View raw message