Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
Impala 4.4.0
-
None
-
None
-
ghx-label-14
Description
When using the hs2-http protocol, Impala clients communicate with Impala by sending and receiving http messages. In a modern deployment environment like Kubernetes these http messages may travel through a series of http proxies. These proxies may record information about the path through the system in one or more ‘X-Forwarded-For’ http headers. At present Impala uses this header in various ways, (1) to skip Authentication for connection from a trusted domain, and (2) to record information about the origin of a query in the runtime profile. The logic for skipping authentication checks is also used in Impala’s webserver.
By inspection there are problems with possible uses of ‘X-Forwarded-For’ as described in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
First of all if there are multiple copies of the ‘X-Forwarded-For’ header then Impala will only use the last of the headers that it sees, which is incorrect, for if there are multiple headers the first one takes priority.
Secondly, sometimes multiple proxies chain addresses in the ‘X-Forwarded-For’ header as the message travels through different proxies. This will affect code like that that skips authentication checks as (by inspection) that code expects a single value.
When dealing with these possibly theoretical problems an effort must be made to be practical, for example none of the http proxies that we know about actually insert multiple headers.